Equipment Siting and Protection
Ensure equipment is placed safely to prevent damage or unauthorised access.
Plain language
This control is about making sure that the places where your equipment is kept are safe and secure. It matters because if equipment is damaged, stolen, or accessed by unauthorised people, it can lead to data loss or breaches, which can harm your business and your customers' trust.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Equipment shall be sited securely and protected.
Why it matters
Unsecured equipment can lead to data breaches from theft or tampering, damaging reputation and eroding customer trust.
Operational notes
Regularly verify equipment is sited in secure areas; check for tampering and exposure to heat, moisture, dust and power issues.
Implementation tips
- The IT Manager should ensure proper placement of all equipment by assessing each room where it is located. This involves checking that equipment is positioned to prevent unnecessary foot traffic and that unauthorised people can't easily access it. Use physical barriers like locked doors or access cards to restrict entry.
- The Facilities Manager should evaluate environmental factors that could affect equipment safety. This means monitoring things like temperature and humidity as well as installing protections against fire and water damage. Consider getting equipment that monitors environmental conditions too.
- HR and IT should work together to educate staff on proper conduct near sensitive equipment. This includes creating guidelines that prohibit eating, drinking, and smoking around important devices to avoid accidents. Reinforce these rules during regular staff meetings.
- The IT team should implement protection measures against electrical and communication risks. Install surge protectors and ensure there is lightning protection for buildings. For extra safety, ensure that all incoming power and communication lines have adequate shielding against interference.
- Procurement should assess the needs for durable equipment in harsh environments. If your equipment is placed in industrial settings, consider using specialised protective gear like keyboard covers or equipment enclosures that guard against dust and vibrations.
Audit / evidence tips
-
AskRequest the building layout or floor plans showing equipment locations.
GoodPlans that clearly outline restricted zones and access control measures in place.
-
AskRequest records of environmental monitoring logs.
GoodConsistent records over time showing that conditions are within safe operational ranges.
-
AskAsk for security policy documents related to workplace conduct around equipment.
GoodClear and specific guidelines that have been communicated to all relevant staff.
-
AskRequest evidence of power and communication protection measures.
GoodDetailed inventory or records of such protective installations at all appropriate locations.
-
AskInquire about the protective measures for equipment in industrial environments.
GoodRecords showing that necessary protective gear is purchased and utilised where needed.
Cross-framework mappings
How Annex A 7.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| ISM-0194 | ISM-0194 requires tamper-evident sealing of conduit joints (including TOP SECRET conduits) in shared facilities to protect physical pathw... | |
| ISM-1036 | ISM-1036 requires multifunction devices (MFDs) to be located in areas where their use can be observed to provide day-to-day oversight and... | |
| ISM-1109 | ISM-1109 requires wall outlet box covers to be clear plastic so the contents of the outlet box can be visually inspected for tampering or... | |
| ISM-1116 | ISM-1116 requires organisations to maintain a visible physical gap between TOP SECRET cabinets and non-TOP SECRET cabinets to reduce the ... | |
| ISM-1296 | ISM-1296 requires physical security to protect network devices in public areas against tampering, theft, or damage | |
| sync_alt Partially overlaps (14) expand_less | ||
| ISM-0161 | ISM-0161 requires IT equipment and media to be physically secured when not in use to prevent unauthorised access | |
| ISM-0164 | ISM-0164 requires preventing unauthorised people from observing workstation displays and keyboards within facilities | |
| ISM-0216 | Annex A 7.8 requires equipment to be securely sited and protected from unauthorised access and damage | |
| ISM-0735 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, addressing the physical pr... | |
| ISM-0810 | Annex A 7.8 requires secure siting and protection of equipment to prevent physical compromise | |
| ISM-0813 | Annex A 7.8 requires secure siting and physical protection of equipment to prevent unauthorised access or interference | |
| ISM-0870 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to prevent unauthorised access | |
| ISM-0871 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to prevent loss or theft | |
| ISM-1053 | Annex A 7.8 requires equipment to be sited securely and protected to reduce physical threats and unauthorised access | |
| ISM-1074 | Annex A 7.8 requires equipment to be positioned and protected to reduce unauthorised access and physical harm | |
| ISM-1119 | ISM-1119 requires that cables in TOP SECRET areas are fully inspectable for their entire length to make tampering or illicit taps detectable | |
| ISM-1973 | Annex A 7.8 requires equipment to be placed in secure locations and protected from unauthorised access and physical/environmental harm | |
| ISM-1974 | Annex A 7.8 requires that equipment is securely placed and physically protected | |
| ISM-1975 | Annex A 7.8 requires equipment to be sited securely and protected to reduce unauthorised access and physical compromise | |
| handshake Supports (3) expand_less | ||
| ISM-0345 | ISM-0345 requires disabling external interfaces that permit DMA to prevent memory compromise through attached peripherals | |
| ISM-1599 | ISM-1599 requires IT equipment to be handled based on its sensitivity or classification | |
| ISM-1721 | ISM-1721's requirement for red colouring on TOP SECRET outlet boxes aids in their clear identification, preventing accidental misuse | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.