Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.8 — Equipment Siting and Protection

Updated on 4 min Reviewed by: Cenedril Editorial
A.7.8 ISO 27001ISO 27002BSI INF.2BSI INF.7

A network switch sits on an open shelf in the office kitchen — next to the coffee machine. It was placed there “temporarily” two years ago when the network closet ran out of space. It overheats regularly, has no physical protection and has been splashed with coffee twice. A.7.8 requires that equipment is placed and protected in a way that reduces risk from physical threats, environmental conditions and unauthorized access.

The control requires organizations to site equipment securely and protect it from physical and environmental threats. The placement must also minimize the risk of unauthorized access and information disclosure.

What does the standard require?

The core requirements address four areas:

  • Secure placement. Equipment must be positioned to minimize unauthorized access, reduce visual exposure of sensitive data and prevent accidental damage.
  • Environmental protection. Equipment must be protected from heat, dust, humidity, vibration, water and electrical interference. Environmental conditions should be monitored and kept within manufacturer specifications.
  • Power and lightning protection. Equipment should be protected against power surges and lightning strikes through appropriate surge protectors, UPS systems and lightning conductors.
  • Electromagnetic protection. Where the risk warrants it, equipment should be shielded against electromagnetic emanations that could leak sensitive information.

In practice

Survey all equipment locations. Walk through every room and document where critical equipment is placed. For each item, assess: is it protected from water (above and around)? Is the temperature controlled? Is it secured against theft? Is the screen visible to unauthorized people?

Establish siting standards. Define minimum requirements for equipment placement: servers in dedicated, climate-controlled rooms; network equipment in locked closets with ventilation; workstation screens facing away from windows and walkways; no equipment in kitchens, corridors or uncontrolled areas.

Monitor environmental conditions. Install temperature and humidity sensors in server rooms, network closets and any room housing critical equipment. Set alert thresholds and respond to alarms promptly.

Protect against power issues. Deploy UPS for all critical equipment, surge protectors on all power feeds and — where the building requires it — lightning protection. Test UPS capacity and switchover regularly.

Typical audit evidence

Auditors typically expect the following evidence for A.7.8:

  • Equipment inventory with locations — list of critical equipment and their placement (link to Physical Security Policy in the Starter Kit)
  • Siting standards — documented requirements for equipment placement
  • Environmental monitoring records — temperature and humidity logs, alert history
  • UPS and surge-protection records — deployment documentation, test logs, capacity reports
  • Risk assessment — documented assessment of physical and environmental risks per location
  • Photographs — documented state of equipment placement and protection measures

KPI

% of critical equipment with documented siting and protection measures

Measured as a percentage: how many of your critical information-processing assets have a documented siting assessment, verified environmental protection and appropriate power protection? Target: 100%. Gaps typically exist in branch offices and ad-hoc installations.

Supplementary KPIs:

  • Number of environmental alarms (temperature, humidity) triggered per quarter
  • % of critical equipment rooms with monitored climate control
  • Number of equipment relocations prompted by siting-risk findings
  • UPS capacity utilization and test pass rate

BSI IT-Grundschutz

A.7.8 maps to BSI modules covering equipment protection:

  • INF.2.A5 (Physical protection of the data center infrastructure) — comprehensive requirements for data-center equipment siting, environmental control and physical security.
  • INF.7.A7 (Locking measures) — securing equipment at office workstations.
  • OPS.1.2.2.A3 (Protection of IT systems during maintenance) — siting considerations for equipment undergoing maintenance.
  • SYS.1.1.A1 (Suitable installation of a server) — specific requirements for server placement: climate, access control, power.

A.7.8 connects equipment placement to the broader physical security framework:

Additional connections: A.7.5 (Environmental threats), A.7.11 (Supporting utilities) and A.7.12 (Cabling security).

Sources

Frequently asked questions

What does 'equipment siting' mean in practice?

It means choosing where to place servers, network equipment, workstations and other information-processing devices so that they are protected from physical threats (fire, water, dust, vibration), environmental risks (temperature, humidity) and unauthorized access (visual exposure, theft). Every placement decision should consider these factors.

Do I need to worry about electromagnetic emanations?

For most organizations, standard commercial equipment is sufficient. If you handle classified government information or operate in a high-espionage-risk environment, you may need TEMPEST-certified equipment or electromagnetic shielding. For typical ISO 27001 implementations, the risk is low.

Should monitors face away from windows and corridors?

Yes. Positioning screens so that their content is not visible to passers-by or through windows is a basic measure. Privacy screens (filter films) provide additional protection when repositioning is not feasible.