Ensuring Secure and Compliant Equipment Maintenance Under ISO 27002 Control 7.13
IT equipment such as servers, laptops, network devices, and printers are vital to many information processing operations such as storage, use, and transfer of information assets.
However, if this equipment is not maintained taking into account product specifications and environmental risks, it may degrade in quality and performance. This lack of maintenance may result in the compromise of availability, integrity, and confidentiality of information assets stored on this equipment.
For example, if an organisation fails to perform regular maintenance on server hardware, it may not recognise that the disk space is full. This may result in loss of data transmitted to or out of the server.
Furthermore, employees or external service providers may gain access to IT equipment as part of the maintenance procedure and this may also present risks to the confidentiality of sensitive information.
For instance, an external maintenance service provider may gain access to sensitive information stored on laptops or install malware into devices.
Control 7.13 deals with how organisations can establish and implement appropriate procedures and measures for the proper maintenance of equipment so that the information assets stored on this equipment are not compromised.
Purpose of Control 7.13
Control 7.13 enables organisations to put in place necessary technical measures and procedures to carry out proper maintenance activities on equipment used to store information assets.
These measures and procedures provide assurance that information assets are not lost or damaged, and they are not exposed to the risk of compromise such as unauthorised access.
Attributes Table of Control 7.13
Control 7.13 is a preventive type of control that requires organisations to take a proactive approach to equipment maintenance.
It entails detecting risks that may arise due to lack of maintenance, establishing equipment maintenance procedures taking into account each equipment’s specifications, and applying appropriate controls that will protect information assets hosted on this equipment against compromise.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Physical Security | #Protection |
| #Integrity | #Asset Management | #Resilience | ||
| #Availability |
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
Ownership of Control 7.13
Compliance with Control 7.13 entails creating a list of equipment, carrying out a risk assessment based on environmental factors and product specifications and establishing and implementing suitable procedures and measures for proper maintenance.
While the role of individuals handling this equipment on a daily basis is critical, the information security manager should bear the responsibility for compliance with Control 7.13.
General Guidance on Compliance
Control 7.13 lists 11 specific recommendations for organisations to consider:
- Maintenance procedures should conform to the equipment manufacturer’s specifications such as recommended service frequency.
- Organisations should establish and apply a maintenance programme for all equipment.
- Only the authorised personnel or third parties should be allowed to perform maintenance activities or repairs on equipment.
- Organisations should create and maintain a record of all equipment malfunctioning and faults. Furthermore, this record should also include all maintenance activities carried out on equipment.
- Organisations should apply suitable measures during the performance of maintenance, considering whether the maintenance is performed by an employee or a third-party service provider. Furthermore, the relevant personnel should sign a confidentiality agreement.
- Personnel performing the maintenance work should be supervised at all times.
- Remote maintenance work should be subject to strict access and authorisation procedures.
- If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures in accordance with Control 7.9.
- Organisations should adhere to all requirements imposed by insurance providers on how to carry out maintenance.
- Organisations should inspect equipment that went through maintenance work to ensure that it is not tampered with and functions properly.
- If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures taking into account the requirements set out in Control 7.14.
Supplementary Guidance on Control 7.14
The Control 7.13 states that the following are considered equipment and fall under the scope of Control 7.13:
- Technical components of information processing facilities
- Batteries
- Fire extinguishers
- Lifts
- Power converters
- Air conditioners
- Similar assets
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022/7.13 replaces 27002:2013/(11.2.4)
The 2022 Version Contains More Comprehensive Requirements
Compared to the 2013 version, the Control 7.13 in the 2022 Version sets out more comprehensive requirements. Whereas the 2013 version only listed six specific requirements, the Control 7.13 contains 11 requirements.
Control 7.13 introduces the five following requirements, which were not addressed in the 2013 Version:
- Organisations should establish and apply a maintenance programme for all equipment.
- Personnel performing the maintenance work should be supervised at all times.
- Remote maintenance work should be subject to strict access and authorisation procedures.
- If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures in line with Control 7.14.
- If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures in accordance with Control 7.9.
The 2022 Version Defines ‘Equipment’
In the Supplementary Guidance, the control 7.13 defines what falls under the scope of ‘Equipment’. In contrast, the 2013 Version did not refer to the meaning of ‘Equipment’.
New ISO 27002 Controls
New Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
Organisational Controls
People Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
Physical Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
Technological Controls
How ISMS.online Helps
ISMS.Online enables you to:
- Document your processes. This intuitive interface allows you to document your processes without installing any software on your computer or network.
- Automate your risk assessment process.
- Demonstrate compliance easily with online reports and checklists.
- Keep a record of progress while working toward certification.
- ISMS.Online offers a full range of features to help organisations and businesses achieve compliance with the industry standard ISO 27001 and/or ISO 27002 ISMS.
Get in touch today to book a demo.
Jump to topic
