Equipment Maintenance - ISO 27001 Annex A Control

ISO 27001 Annex A 7.13

Equipment that is not maintained becomes the next outage or breach.

ISO 27001 Annex A 7.13 - Equipment Maintenance

Equipment that is not maintained drifts toward failure. The control treats maintenance as a security activity, not just an operational one. Failed equipment can lose data (integrity), become unavailable when needed (availability), or expose data to those carrying out unscheduled repairs (confidentiality). Maintaining equipment correctly addresses all three.

Maintenance covers both planned and reactive activities. Planned maintenance includes manufacturer-recommended service intervals, firmware updates, replacement of components with known wear cycles (batteries, fans, filters), and the periodic checks that catch issues before they become failures. Reactive maintenance covers the response when something does break, with the security implications considered alongside the operational ones.

The maintenance activities themselves carry security risk. Engineers - whether internal or third-party - may need access to equipment that contains sensitive data. The arrangements should include supervised access where appropriate, contractual confidentiality, and consideration of what can leave the site - faulty equipment that may still hold recoverable data needs to be handled with the same care as any other storage media.

The maintenance gap that surfaces most often is third-party engineers being given unsupervised access to equipment because they are trusted, and then taking faulty drives away for "warranty replacement". Both decisions can be reasonable, but they need to be deliberate rather than default. The contract should set the expectations and the access arrangements should match.

Practical Compliance Guidance

Equipment maintenance is described in the IMS1 Manual in Section 8.3 on IT equipment alongside the Physical Security Policy. The equipment register tracks maintenance schedules and history.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
ER10 IT Equipment and Logins Register	The ER10 IT Equipment and Logins Register is designed to help organisations track, manage, and secure IT equipment, user logins, keys, and access cards in line with ISO 27001 requirements.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What equipment needs maintenance schedules?

Anything where failure would affect information security. Typical examples: servers, network equipment, UPS units, generators, fire suppression and detection systems, environmental controls in server rooms, and CCTV and access control systems. End-user laptops and desktops follow a different model - typically replaced on a refresh cycle rather than maintained in place.

How do we manage third-party engineer access?

Through a combination of contractual confidentiality, defined access arrangements (escort where appropriate, sign-in records, time-limited access), and clarity on what can leave the site for warranty work. The supplier security arrangements under A.5.20 should set the contractual expectations and the visitor process under A.7.2 should handle the practical access.

What about faulty equipment going off-site?

If the equipment may still hold recoverable data, sanitisation or removal of the storage component should happen before the equipment leaves. Where the supplier requires the failed component returned, the contract should specify how data on the component is handled. The decision should be deliberate rather than default - it is reasonable to release equipment under tight contractual terms, and it is reasonable to insist on data destruction first; the choice should follow the data sensitivity.

Further Resources