Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Elementary Threat · BSI IT-Grundschutz

G 0.1 — Fire

Updated on 4 min Reviewed by: Cenedril Editorial
A.7.1A.7.4A.7.5A.7.10A.7.11A.7.12A.7.13A.8.13A.8.14 BSI IT-GrundschutzISO 27001ISO 27002

In a mid-sized logistics company a faulty power strip under a desk triggers a smouldering fire at night. By the time the fire brigade arrives, the fire has spread through the raised floor into the adjacent server room. Extinguishing takes two hours — the collateral damage from extinguishing water and smoke gases exceeds the actual fire damage many times over.

Fire is one of the oldest and most devastating threats to buildings, people and IT infrastructure. The BSI lists it as elementary threat G 0.1 in the IT-Grundschutz catalogue. A fire’s destructive force unfolds through several channels simultaneously: flames, heat, smoke, corrosive gases and extinguishing water.

What’s behind it?

A fire in IT-relevant areas produces damage on several levels at once. The visible destruction by flames is often only the beginning.

Extinguishing water frequently causes more damage in IT environments than the fire itself. It flows through cable ducts and raised floors into lower storeys, causes short circuits and renders equipment unusable that the fire never touched. Sprinkler systems are designed for office environments — in server rooms they can multiply the damage.

Causes of fire

  • Technical defects — Overloaded power strips, faulty power supplies, aged cables with brittle insulation. Electrical defects are the most common cause of fire in commercial buildings.
  • Negligence — Unattended coffee machines, fan heaters next to combustible material, welding and soldering work without permits. Everyday carelessness leads to avoidable fires.
  • Structural deficiencies — Wedged-open fire doors, missing fire stops on cable trays, combustible insulation materials. Any single deficiency can allow a fire to spread beyond its intended compartment.
  • Arson — Rarer, but with potentially catastrophic impact when an attacker deliberately targets critical infrastructure.

Impact

Burning PVC cable sheathing produces chlorine gases. Combined with humidity, hydrochloric acid vapours form and can travel through air-conditioning ducts into far-flung parts of the building. Sensitive electronics corrode within hours — even in rooms a hundred metres from the seat of the fire. Soot particles settle on circuit boards and contacts and lead to long-term failures.

Practical examples

Smouldering fire from a small appliance. A privately brought fan heater is left on overnight in an office building. Its overheating protection is defective. Around midnight a stack of paper next to the device ignites. The smoke detector triggers, but by the time the security service arrives the fire has spread to the neighbouring technical room. Three servers and the central network distributor are destroyed — recovery takes two weeks.

Extinguishing water in the basement distribution. A fire in the canteen of an administrative building is quickly extinguished. The flames never reached the server room two storeys below. The extinguishing water did: it flows through cable ducts into the basement and floods the main electrical distribution. The entire IT operation fails because a full electrical inspection is required before power can be restored.

Permanently wedged fire door. In a data centre the fire doors between two server rooms are routinely held open with wedges because the technician team commutes constantly between the two rooms. When a power supply catches fire in one room, smoke spreads unhindered into the second room. The gaseous extinguishing system in the affected room triggers, but the smoke has already caused automatic emergency shutdowns in the adjacent room.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 9 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

Detection:

Response:

BSI IT-Grundschutz

G 0.1 is linked in the BSI IT-Grundschutz catalogue to the following modules:

  • INF.1 (General building)Baseline requirements for structural fire protection, fire alarm technology and organisational measures.
  • INF.2 (Data centre and server room) — Extended fire protection requirements for rooms with high IT concentration, including gaseous extinguishing systems.
  • INF.5 (Room and cabinet for technical infrastructure) — Fire protection for technical rooms and distribution cabinets.
  • INF.6 (Media archive) — Protection of archived storage media from fire and its consequences.

Sources

ISO 27001 Controls Covering This Threat

A.7.1 Physical security perimeters A.7.4 Physical security monitoring A.7.5 Protecting against physical and environmental threats A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.8.13 Information backup A.8.14 Redundancy of information processing facilities

Frequently asked questions

What collateral damage does a fire cause to IT infrastructure?

Beyond direct destruction by flames, damage arises from extinguishing water, soot and corrosive gases. Hydrogen chloride from burning PVC can travel through air-conditioning ducts into distant parts of the building and attack sensitive electronics there. Business interruption and data loss multiply the total damage.

Is a fire extinguisher in the server room enough protection?

A hand-held extinguisher is one building block, but nowhere near sufficient on its own. Effective fire protection combines structural measures (fire compartments, fire-resistant materials), technical systems (fire alarm, gaseous extinguishing system) and organisational rules (no smoking, regular inspections, training).

How often should fire protection in the data centre be inspected?

Fire alarm systems should be serviced by specialists at least every six months. In addition, quarterly walk-throughs are advisable to check fire compartmentation, escape routes and proper storage of combustible materials.