Equipment Siting and Protection

It requires organizations to locate and protect their equipment in a way that minimizes physical and environmental risks, as well as opportunities for unauthorized access or tampering.

Practical examples include locking network switches in dedicated closets, positioning monitors away from windows to prevent shoulder surfing, and keeping servers away from water pipes, hazardous materials, or heavy foot traffic.

ISO 27001 A.7.8 audit evidence examples include an approved Physical Security Policy, floor plans showing secure equipment placement, facility risk assessments, and compliance reports (like ISO 27001 or SOC 2) from third-party data centers. Tools like WatchDog Security's Compliance Center can help organize evidence to A.7.8, track collection status, and surface missing artifacts during readiness reviews.

To protect IT equipment from environmental threats (fire, water, heat), organizations should use raised floors to mitigate flood risks, implement fire suppression systems, install redundant HVAC for temperature control, and use uninterruptible power supplies (UPS).

Yes, organizations are responsible for ensuring their third-party providers implement appropriate equipment siting and protection controls, typically verified by collecting and reviewing the provider's independent security audit certifications. WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, request/track attestations, and record review outcomes tied back to A.7.8 requirements.

Monitors should be angled away from public view, printers processing sensitive data should be placed in restricted zones behind access controls, and active network ports in public areas should be disabled or physically locked.

Organizations should store networking devices in locked IT closets, use locked server racks, employ tamper-evident seals, and secure cabling in conduits or drop ceilings to prevent unauthorized interception or damage.

Electromagnetic leakage shielding ISO 27001 controls are generally only necessary if the organization's physical security risk assessment identifies a high risk of electromagnetic interception, which is typically only applicable to highly classified government or military data.

Reviews should occur at planned intervals (e.g., annually), during facility physical security risk assessments, or whenever there are significant changes to the office layout, building infrastructure, or threat landscape.

It directly replaces the ISO 27001:2013 control A.11.2.1 (Equipment siting and protection), carrying forward the same core principles while aligning with modern physical and environmental threat landscapes.

Equipment siting often creates repeatable decisions (where assets are placed, what hazards exist, and what mitigations are required). Tools like WatchDog Security's Risk Register can document location-specific risks, assigned owners, and treatment actions, while WatchDog Security's Compliance Center can map those actions to A.7.8 and highlight gaps during audits.

Audits typically require collecting and controlling sensitive supporting artifacts (policies, site assessments, facility diagrams, and third-party certifications). WatchDog Security's Secure File Sharing can help distribute and store these files with access controls and audit logs, and WatchDog Security's Compliance Center can organize them as evidence linked to A.7.8 for faster retrieval.