Supporting Utilities - ISO 27001 Annex A Control

ISO 27001 Annex A 7.11

Power, cooling and connectivity have to keep working - or the rest stops working too.

ISO 27001 Annex A 7.11 - Supporting Utilities

The control covers the services that information processing depends on: electricity, cooling, network connectivity, water for cooling systems where used. Each of these can fail, and when they fail the equipment stops or degrades. The control asks the organisation to think about these dependencies and put protection in place that matches their importance.

Power is usually the dominant concern. UPS units provide ride-through during short interruptions and clean power during voltage fluctuations. Generators extend protection through longer outages. The sizing should match the actual load and the expected duration of failures the organisation needs to ride through. A UPS sized for 15 minutes is no help when the local outage runs for two hours.

Cooling and connectivity follow similar logic. Server rooms need cooling that scales with the equipment load, and protection against the cooling failing - usually a dual-feed or N+1 design for anything significant. Network connectivity may need diverse routes or failover arrangements where the operation depends on continuous external connectivity.

The most common failure mode for utility protection is testing that lapses. The UPS works on day one and again at the annual service, but in the gap nothing actually loads it for any length of time. The generator starts when tested, but no one has run a full failover transition since the system was installed. We schedule periodic load tests so we know the protection actually works rather than just that it sits there.

Practical Compliance Guidance

Supporting utility arrangements are described in the IMS1 Manual in Section 8.3 on IT equipment and section 8.5 alongside the wider continuity arrangements. The business continuity register holds the operational record.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-IMS21 Business Continuity Register	The business continuity register listing utility scenarios and the protection in place. Use to record UPS, generator, cooling and connectivity arrangements alongside test schedules and outcomes.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do small offices need UPS protection?

For most small offices using cloud services, the impact of a power cut is limited - the user can switch to a laptop on battery and continue working from elsewhere. Where on-site servers or network equipment are critical, even a small UPS is worthwhile to protect against unplanned shutdowns and brief outages. The decision should follow the impact assessment.

What about cloud-hosted services?

Cloud providers run their own utility protection. The organisation should confirm through due diligence that the provider has appropriate arrangements - typically through SOC reports and certifications - and reflect this in the supplier risk assessment. The organisation's own utility protection then focuses on the local equipment needed to access cloud services.

How often should utility systems be tested?

UPS units are typically serviced and load-tested annually. Generators are run on test schedules - sometimes monthly with full-load runs less frequently. The exact schedule should reflect the manufacturer's recommendations and the criticality of the equipment being protected. Test outcomes should be documented in the business continuity register or equivalent.

Further Resources