Failure or disruptions of utilities such as electricity, gas, water, or cooling needed for proper and continuous functioning of information processing facilities may result in compromise of information assets or may intercept business continuity.
For example, the failure of air conditioning equipment in a data centre may lead to a sudden rise in temperature when the data centre is hit by a heatwave. This may cause servers hosting website and/or customer data to shut down, and thus result in loss of availability of data and disruptions to business operations.
Control 7.11 addresses how organisations can eliminate risks to the availability and integrity of information assets due to the failure of supporting utilities such as gas, cooling, telecommunications, water, and electricity.
Control 7.11 enables organisations to eliminate and mitigate risks to the availability and integrity of information assets and to the business continuity by putting in place appropriate measures that protect supporting utilities against failures and disruptions such as power outages.
Control 7.11 is both detective and preventive in nature as it requires organisations to take a proactive approach and implement precautionary measures against the risks to the proper and continuous functioning of utilities required for information processing facilities such as data centres, network systems, and computing equipment.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive #Detective | #Integrity #Availability | #Protect #Detect | #Physical Security | #Protection |
Control 7.11 entails identifying risks to the continuous operations of supporting utilities and implementation of appropriate measures and controls to ensure that availability and integrity of information assets are not affected by failures of these utilities.
While the facilities management team’s role and efforts are critical, the information security manager should bear the responsibility for compliance with Control 7.11.
After highlighting that supporting utilities such as water supply, electricity, communications, sewage, and air conditioning is vital to the operations carried out in information processing facilities.
General Guidance lists seven key recommendations organisations should take into account to comply with Control 7.11:
Apart from the General Guidance, Control 7.11 entails recommendations on two specific issues:
Organisations should determine an emergency contact person and record his/her contact details. These details should be provided to all personnel in the event a failure or disruption occurs.
Emergency switches and valves to halt utilities such as water, gas, and electricity should be placed near the emergency exits.
Emergency lighting and communications should be ready to be used in case an emergency arises.
Organisations can consider having additional routes from alternative service providers to increase network connectivity so that failures or disruptions of supporting utilities are prevented.
27002:2022/7.11 replaces 27002:2013/(11.2.2)
While the 2022 version is similar to the 2013 version to great extent, there is one key difference.
The ISO 27002:2022 version introduces the following two requirements in its General Guidance:
Companies can use ISMS.Online to help them with their ISO 27002 compliance efforts by providing them with a platform that makes it easy to manage their security policies and procedures, update them as needed, test them and monitor their effectiveness.
Our cloud-based platform allows you to quickly and easily manage all the aspects of your ISMS, including risk management, policies, plans, procedures and more, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
