Skip to content

ISO 27001:2022 Annex A 7.13 – Secure Equipment Maintenance Explained

ISO 27001:2022 Annex A 7.13 is concerned with establishing and implementing appropriate procedures and measures for the proper maintenance of equipment to ensure that the information assets stored on this equipment will not be compromised.

For the storage, use, and transfer of information assets, IT equipment such as servers, laptops, network devices, and printers are essential. A failure to maintain this equipment according to its specifications and environmental risks may result in poor quality and performance degradation. Due to this lack of maintenance, the integrity, confidentiality, and availability of information assets may be compromised.

For example, an organisation may not realise its disk space is full if it fails to perform regular maintenance on its server hardware. The server may lose data transmitted to or from it as a result.

What Is The Purpose of ISO 27001:2022 Annex A 7.13?

ISO 27001:2022 Annex A 7.13 describes how to conduct proper maintenance on equipment used to store information assets based on technical measures and procedures.

Measures and procedures are put in place to ensure that information assets are protected from loss, damage, and unauthorised access, among other concerns.

ISO 27001:2022 Annex A 7.13 describes a preventive type of control under which organisations need to take an active approach to the maintenance of their equipment.




ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.




Who Has Ownership of Annex A 7.13?

Compliance with Annex A 7.13 states that an equipment list should be prepared, a risk assessment should be conducted based on environmental factors and the specifications of the product, as well as establishing and implementing appropriate procedures and measures to ensure proper maintenance of the equipment.

The Information Security Manager should be responsible for ensuring compliance with ISO 27001:2022 Annex A 7.13 despite the importance of individuals handling this equipment on a daily basis.

General Guidance on ISO 27001:2022 Annex A 7.13 for Compliance

Annex A 7.13 provides organisations with 11 specific recommendations:

  1. Following the equipment manufacturer’s specifications regarding maintenance procedures, such as recommended service intervals, is recommended.
  2. For all equipment, organisations should establish and implement a maintenance programme.
  3. Maintaining or repairing equipment should only be performed by authorised personnel or authorised third parties.
  4. All equipment malfunctions and faults should be recorded by organisations. Furthermore, all maintenance activities on said equipment should also be recorded.
  5. It is essential for organisations to apply suitable maintenance procedures regardless of whether maintenance is performed by their employees or by third parties. Furthermore, confidentiality agreements should be signed by the relevant personnel.
  6. All maintenance personnel should be supervised at all times.
  7. Access and authorisation procedures should be strictly enforced for remote maintenance work.
  8. Organisations should apply appropriate security measures in accordance with Annex A 7.9 whenever equipment is removed from premises for maintenance.
  9. Maintenance requirements imposed by insurance providers should be adhered to by organisations.
  10. To ensure that equipment has not been tampered with and functions properly, companies should inspect it after maintenance.
  11. Organisations should establish and implement suitable measures and procedures for disposing of or reusing equipment under Annex A 7.14.

Supplementary Guidance on Annex A 7.13

ISO 27001:2022 Annex A 7.13 states that the following are considered equipment and fall under the scope of Annex A 7.13:




climbing

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.




What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 7.13 replaces ISO 27001:2013 Annex A 11.2.4 (‘Equipment Maintenance’).

The ISO 27001:2022 Version Contains More Comprehensive Requirements

Compared to the ISO 27001:2013 version, Annex A 7.13 in the 2022 Version sets out more comprehensive requirements.

While the ISO 27001:2013 version only listed six specific requirements, ISO 27001:2022 Annex A 7.13 contains 11 requirements.

Annex A 7.13 introduces the five following requirements, which were not addressed in the ISO 27001:2013 version:

  1. For all equipment, organisations should establish and implement a maintenance programme.
  2. All maintenance personnel should be supervised at all times.
  3. Maintenance work performed remotely should be subject to strict access and authorisation controls.
  4. According to Annex A 7.14, organisations should establish and implement appropriate measures and procedures for disposing of or reusing equipment.
  5. Organisations should apply appropriate security measures in accordance with Annex A 7.9 whenever equipment is removed from premises for maintenance.

The ISO 27001:2022 Revision Defines ‘Equipment’

The Supplementary Guidance defines ‘Equipment’ in Annex A 7.13. In contrast, the ISO 27001:2013 version did not refer to the meaning of ‘Equipment’.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing

How ISMS.online Help

You can do the following with ISMS.online:

  • Make sure your processes are documented. Using this intuitive interface, you can document your processes without installing any software.
  • Assess risks more efficiently by automating the process.
  • With online reports and checklists, you can easily demonstrate compliance.
  • While working toward certification, keep a record of your progress.

ISMS.online offers a full range of features to help organisations and businesses achieve compliance with the standard ISO 27001:2022.

Get in touch with us today to schedule a demo.


Mike Jennings

Mike is the Integrated Management System (IMS) Manager here at ISMS.online. In addition to his day-to-day responsibilities of ensuring that the IMS security incident management, threat intelligence, corrective actions, risk assessments and audits are managed effectively and kept up to date, Mike is a certified lead auditor for ISO 27001 and continues to enhance his other skills in information security and privacy management standards and frameworks including Cyber Essentials, ISO 27001 and many more.

ISO 27001:2022 Annex A Controls

Organisational Controls