Supporting Utilities

It is a physical security control requiring the organization to protect its information processing facilities from power failures and disruptions caused by failures in supporting utilities like telecommunications, water, and gas.

Supporting utilities include electricity, telecommunications (internet), water supply, gas, sewage, and HVAC (heating, ventilation, and air conditioning) systems required to keep infrastructure running safely.

Organizations implement this by installing Uninterruptible Power Supplies (UPS) for immediate failover, backup generators for prolonged outages, redundant internet service providers, and adequate HVAC systems to prevent overheating.

If the organization hosts critical infrastructure on-premise, a UPS and backup power source like a generator are highly expected. However, if infrastructure is hosted entirely in the cloud, these physical controls are delegated to the cloud provider.

Auditors look for an approved Physical Security Policy, maintenance logs for UPS and generator testing, environmental monitoring alerts, and compliance certificates (like SOC 2) from third-party data centers as ISO 27001 supporting utilities audit evidence.

Backup power systems should be tested and maintained at planned intervals governed by a backup generator testing and maintenance policy, typically requiring monthly tests and annual comprehensive maintenance.

For cloud-hosted environments, the organization satisfies this control by verifying their provider's utility redundancy through a formal vendor security review and collecting independent audit reports like ISO 27001 or SOC 2 Type II certificates.

Organizations should evaluate the likelihood and impact of utility failures within a utility outage risk assessment for information processing facilities, identifying potential downtime costs and mapping them to appropriate redundancy and BCDR controls.

Monitoring power failures and utility outages requires utilizing environmental monitoring tools that automatically alert operations teams in the event of a power drop, temperature spike, or switch to battery power, enabling a rapid incident response.

Common nonconformities include failing to regularly test UPS batteries, neglecting to secure redundant internet connections for critical offices, and lacking vendor compliance evidence for outsourced cloud data centers.

A.7.11 typically requires you to track policies, vendor attestations, and recurring test records (e.g., UPS and generator tests). WatchDog Security's Compliance Center can help organize evidence by control, flag missing items, and maintain an audit-ready trail for supporting-utility resilience.

Utility disruptions are often managed as ongoing risks with defined treatments (redundancy, testing, vendor assurance) and owners. WatchDog Security's Risk Register can help document utility-failure risks, score impact, assign remediation tasks, and report progress to stakeholders.