A.7.11 — Supporting Utilities

A summer thunderstorm knocks out power to the building. The UPS kicks in — but its batteries were last replaced four years ago. After 8 minutes instead of the rated 30, the UPS dies. The servers shut down ungracefully, causing file-system corruption on two database servers. Recovery takes 14 hours. The generator in the basement would have prevented the outage, but it ran out of fuel during the last test six months ago and was never refuelled. A.7.11 requires that supporting utilities are reliable, tested and maintained — because information security is only as strong as the power feeding the server room.

The control requires organizations to protect information-processing facilities from power failures and other disruptions to supporting utilities — electricity, telecommunications, water supply, ventilation and similar infrastructure.

What does the standard require?

The core requirements cover four areas:

• Reliable utilities. Equipment managing power, telecommunications and other utilities must be maintained according to manufacturer specifications and regularly tested.
• Redundancy. For critical systems, consider redundant utility feeds — dual power supplies, independent internet connections, redundant HVAC systems.
• Monitoring and alerting. Utilities should be monitored continuously. Alarms must be in place to warn of malfunctions (power failure, temperature excursion, connectivity loss) so that corrective action can be taken promptly.
• Emergency provisions. Emergency power (UPS, generator), emergency lighting, emergency communication channels and emergency shutdown procedures must be planned, documented and accessible.

In practice

Map utility dependencies. For each critical system, document: which power feed supplies it, which network connection it uses, what HVAC system cools it. Identify single points of failure.

Deploy UPS for all critical equipment. Servers, network equipment, security systems (access control, CCTV) and telecommunications equipment should be UPS-protected. Size the UPS for at least 15 minutes of load — enough for automated graceful shutdown.

Test regularly. UPS load test: quarterly. Generator switchover test: annually under realistic load. HVAC failure test: verify alarm triggers when cooling stops. Document all tests and remediate issues immediately.

Ensure accessible emergency controls. Emergency power-off switches must be clearly marked and accessible. Emergency contacts (utility provider, facility management, IT on-call) must be posted in server rooms and at reception.

Secure utility connections. Network connections to the internet and other external networks should be physically secured, logically protected and limited to essential use. Redundant connections from different providers reduce the risk of a single-provider outage.

Typical audit evidence

Auditors typically expect the following evidence for A.7.11:

• Utility dependency map — documentation showing which systems depend on which utilities (link to Physical Security Policy in the Starter Kit)
• UPS test records — quarterly load-test reports with results and battery-age tracking
• Generator test records — annual switchover test under load with fuel-level verification
• Maintenance contracts — service agreements for UPS, generator, HVAC and electrical systems
• Monitoring configuration — evidence that utility-monitoring alarms are configured and tested
• Emergency procedures — documented shutdown and recovery procedures with emergency contacts

KPI

% of critical systems with redundant and tested supporting utilities

Measured as a percentage: how many of your critical information-processing systems are covered by (1) a tested UPS, (2) redundant power or a generator (where required) and (3) monitored environmental controls? Target: 100%. Gaps typically exist in branch offices and non-production environments.

Supplementary KPIs:

• UPS load-test pass rate (target: 100%)
• Generator test pass rate and time to achieve full load
• Number of utility-related incidents per quarter
• Mean time to restore service after a utility failure

BSI IT-Grundschutz

A.7.11 maps to extensive BSI requirements across infrastructure modules:

• INF.2 (Data center) — power supply (A3, A4), climate control (A5, A10, A11), fire suppression (A14, A16), redundancy (A19), monitoring (A25, A26).
• INF.5 (Technical room) — power protection (A9, A10, A11), climate control (A16, A17), maintenance (A24).
• INF.1 (General building) — basic power supply and utility requirements for general office buildings.
• SYS.1.1.A15 (Secure use of UPS) — specific requirements for UPS deployment and testing.
• SYS.2.1.A39 (Power supply for mobile clients) — battery and charging considerations for laptops and mobile devices.

Related controls

A.7.11 provides the infrastructure foundation for other physical controls:

• A.7.9 — Security of assets off-premises: Off-premises, you depend on external utility infrastructure.
• A.7.10 — Storage media: Power failures can corrupt data on storage media.
• A.7.12 — Cabling security: Power and network cabling are themselves supporting utilities.
• A.7.13 — Equipment maintenance: Utility equipment needs its own maintenance schedule.

Additional connections: A.5.29 (Information security during disruption), A.5.30 (ICT readiness for business continuity) and A.7.5 (Environmental threats).

Sources

• ISO/IEC 27001:2022 Annex A, Control A.7.11 — Supporting utilities
• ISO/IEC 27002:2022 Section 7.11 — Implementation guidance for supporting utilities
• BSI IT-Grundschutz, INF.2 — Data center