During a routine office renovation, a contractor accidentally drills through a bundle of network cables in a wall cavity. The entire finance department loses connectivity for a day. Investigation reveals that the cable routes were never documented — nobody knew the cables ran through that wall. Meanwhile, in the server room, network and power cables share the same tray, and three patch cables are unlabeled. An auditor traces one to a port that should have been decommissioned two years ago. A.7.12 addresses all of this: documentation, separation, protection and regular inspection of cabling infrastructure.
The control requires organizations to protect power and communications cabling from interception, interference, damage and unauthorized access.
What does the standard require?
The core requirements address five areas:
- Physical protection. Cables should be routed underground, through conduits or in cable trays that protect them from accidental damage, interception and tampering.
- Separation of power and data. Power cables and communications cables should be physically separated to prevent electromagnetic interference.
- Access control. Cable rooms, patch panels, distribution frames and cable entry points must be in locked, controlled-access areas.
- Labelling and documentation. Cables should be clearly labelled, and cable routes should be documented. Undocumented cables are an invitation to accidental damage and an obstacle to incident response.
- Additional measures for critical systems. For high-security environments: armored conduits, electromagnetic shielding, fiber optics instead of copper, and periodic inspection of cable routes.
In practice
Document cable routes. Create or update a cabling plan showing the routes of all power and data cables, including riser shafts, floor ducts and wall cavities. Mark cable entry points at the building perimeter.
Separate power and data. Run power and data cables in separate trays or conduits. Where they must cross, ensure they cross at right angles to minimize interference. In new installations, specify minimum separation distances.
Secure cable rooms. Patch panels, distribution frames and cable entry points must be in locked rooms with controlled access. Log all access to these rooms.
Inspect periodically. Schedule annual inspections of cable routes. Check for: unauthorized devices connected to network ports, cables in poor condition, missing labels, cable trays exceeding capacity and unauthorized modifications.
Decommission unused cables. Remove or physically disconnect cables for decommissioned systems. An active port connected to a decommissioned cable is a potential entry point.
Typical audit evidence
Auditors typically expect the following evidence for A.7.12:
- Cabling plan — documented cable routes, labelling scheme and separation measures (link to Physical Security Policy in the Starter Kit)
- Cable register — list of all cables with IDs, endpoints, type and status
- Inspection records — documentation of periodic cable-route inspections
- Access logs for cable rooms — evidence that cable rooms are controlled
- Photographs — showing cable separation, labelling and protection measures
- Decommissioning records — evidence that unused cables are removed or disconnected
KPI
% of critical cabling with documented physical protection measures
Measured as a percentage: how many of your critical cable routes (those carrying production network traffic or primary power) are documented, labelled, physically protected and regularly inspected? Target: 100%. Organizations undergoing their first structured cabling audit typically start at 40–60%.
Supplementary KPIs:
- % of cables with labels at both ends
- Number of undocumented cables found during inspections
- Number of cable-related incidents (accidental disconnection, damage) per year
- % of cable rooms with controlled access and logging
BSI IT-Grundschutz
A.7.12 maps primarily to BSI INF.12 (Cabling):
- INF.12.A2 (Planning of cabling) — requires documented planning of all cable routes before installation.
- INF.12.A5 (Requirements-based selection of cable types) — cable types must match the security requirements (shielded, fiber, armored).
- INF.12.A10 (Protection of cabling distribution rooms) — cable rooms must be physically secured with controlled access.
- INF.12.A11 (Regular inspection of cable management) — periodic inspection of cable routes and infrastructure.
- INF.12.A15 (Use of cable management systems) — structured cable-management systems for larger installations.
- INF.12.A17 (Electromagnetic protection of cabling) — shielding requirements for environments with electromagnetic interference risks.
- INF.1.A13 (Regulations for areas with special security needs) — additional cabling requirements for high-security zones.
- INF.2.A23 (Secure cabling in the data center) — specific requirements for data-center cabling.
Related controls
A.7.12 supports the utility and equipment infrastructure:
- A.7.10 — Storage media: Data on storage media travels through cables.
- A.7.11 — Supporting utilities: Power cabling is a supporting utility.
- A.7.13 — Equipment maintenance: Cabling infrastructure needs maintenance.
- A.7.14 — Secure disposal or re-use of equipment: Decommissioned cabling must be handled securely.
Additional connections: A.7.1 (Perimeters — cables crossing perimeter boundaries), A.7.5 (Environmental threats — fire-rated cable penetrations) and A.8.20 (Network security).
Sources
- ISO/IEC 27001:2022 Annex A, Control A.7.12 — Cabling security
- ISO/IEC 27002:2022 Section 7.12 — Implementation guidance for cabling security
- BSI IT-Grundschutz, INF.12 — Cabling