A.7.13 — Equipment Maintenance

The air-conditioning unit in the server room fails on a Friday afternoon. By Saturday morning, the temperature has risen to 42 degrees Celsius. Three servers enter thermal shutdown. The HVAC system was last serviced eighteen months ago — the annual maintenance was “postponed to next quarter” and forgotten. The failed component would have been caught during a routine inspection. A.7.13 requires that equipment is maintained according to the manufacturer’s schedule — because a missed maintenance window becomes an unplanned outage.

The control requires organizations to maintain equipment correctly to ensure its continued availability, integrity and the confidentiality of the information it processes. Maintenance must follow manufacturer recommendations, be performed by authorized personnel and be fully documented.

What does the standard require?

The core requirements address five areas:

Scheduled maintenance. Equipment must be maintained at intervals recommended by the manufacturer. The maintenance schedule should be documented and tracked.
Authorized personnel. Only authorized and qualified personnel should perform maintenance. For third-party technicians, appropriate vetting and supervision are required.
Maintenance records. All maintenance actions must be documented: date, what was done, who performed it, what was replaced, any anomalies found.
On-site and remote maintenance. Whether maintenance is performed on-site or remotely, appropriate security measures must be in place — supervision for on-site work, secure connections for remote access.
Off-site repair. Equipment sent off-site for repair must be secured: sensitive data removed or encrypted, the device tracked during transport and inspected for tampering upon return.

In practice

Build a maintenance calendar. List every piece of critical equipment with its manufacturer-recommended maintenance interval. Create a calendar (or use a CMDB / facilities-management tool) that triggers alerts before the next maintenance is due.

Establish vendor management. For external maintenance providers: verify qualifications, require an NDA, define supervision requirements (especially for secure areas), document the scope of access granted and log every visit.

Log every action. For each maintenance event, record: equipment ID, date, technician name and company, work performed, parts replaced, system verification after completion. This log is a primary audit artifact.

Secure off-site repair. Before sending equipment off-site: (1) back up the data, (2) wipe or remove storage media if possible, (3) document what is being sent and to whom, (4) obtain a receipt, (5) inspect the device for tampering upon return and verify its integrity before reconnecting it to the network.

Handle remote maintenance securely. If vendors access equipment remotely (e.g. for firmware updates or diagnostics), require encrypted connections, multi-factor authentication, time-limited access and session logging. Review logs after each session.

Typical audit evidence

Auditors typically expect the following evidence for A.7.13:

Maintenance schedule — documented plan with equipment, intervals and responsible parties (link to Physical Security Policy in the Starter Kit)
Maintenance log — records of all maintenance actions with dates, technicians and work performed
Service contracts — agreements with external maintenance providers
NDA / access agreements — signed agreements with external technicians
Off-site repair records — chain-of-custody documentation for equipment sent for repair
Post-maintenance verification — evidence that systems were checked after maintenance

KPI

% of equipment maintained according to scheduled maintenance plans

Measured as a percentage: how many of your maintenance-scheduled items were serviced within the planned interval? Target: 100%. Organizations typically start at 70–85%, with gaps concentrated in non-IT infrastructure (HVAC, fire systems) and branch-office equipment.

Supplementary KPIs:

Number of overdue maintenance tasks (target: zero)
Number of unplanned outages attributable to maintenance failures per year
Average age of UPS batteries relative to manufacturer-recommended replacement cycle
% of external maintenance visits with complete documentation (NDA, log, post-maintenance check)

BSI IT-Grundschutz

A.7.13 maps to BSI modules covering infrastructure and equipment maintenance:

INF.2.A3 (Data center maintenance) — requires scheduled maintenance for all data-center infrastructure with documented procedures and qualified personnel.
INF.2.A10 (Climate control for the data center) — HVAC maintenance schedules for data centers.
INF.2.A14 (Automatic reporting of malfunctions) — monitoring that detects maintenance needs before failures occur.
INF.2.A26 (Regular reviews of the data center) — periodic reviews that include maintenance status.
INF.5.A17 / INF.5.A23 / INF.5.A24 (Technical room) — maintenance requirements for technical infrastructure rooms.
OPS.1.1.1.A19 (Maintenance of IT systems) — general maintenance requirements for IT systems.

A.7.13 supports equipment reliability across the physical domain:

A.7.11 — Supporting utilities: Utility equipment (UPS, generators, HVAC) needs scheduled maintenance.
A.7.12 — Cabling security: Cabling infrastructure is part of the maintenance scope.
A.7.14 — Secure disposal or re-use of equipment: When maintenance is no longer viable, the equipment enters the disposal process.

Additional connections: A.5.19 (Information security in supplier relationships) for maintenance-provider management, and A.8.1 (User endpoint devices) for workstation maintenance.

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.13 — Equipment maintenance
ISO/IEC 27002:2022 Section 7.13 — Implementation guidance for equipment maintenance
BSI IT-Grundschutz, INF.2 — Data center

Frequently asked questions

What equipment needs a maintenance schedule?

All equipment that supports information processing: servers, network equipment, UPS and generators, HVAC systems, fire-detection and suppression systems, access-control systems, CCTV and any other infrastructure that your ISMS depends on. Include workstations and printers if they are managed centrally.

Can external technicians perform maintenance on our equipment?

Yes, but with controls. External maintenance personnel should be vetted, supervised (especially in secure areas), logged and required to follow your security procedures. If equipment is sent off-site for repair, ensure data is protected — either by wiping the device before shipping or by using a trusted, contractually bound service provider.

What happens to data when equipment is sent for repair?

Before sending equipment off-site, either remove or securely erase all sensitive data. If that is not possible (e.g. the storage is integrated and the device is non-functional), use a contractually bound repair provider with an NDA and ensure the device is inspected for tampering upon return.

Responsible	Facility Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Data Protection Officer, Department Head, Facility Manager, HR Manager, Head of IT, IT Security Officer, Legal Counsel, Software Development Lead, Supply Chain Manager
Informed	Department Head, Facility Manager, Head of IT, IT Administrator, IT Security Officer, Internal Auditor, Top Management