ISO 27002 Control 7.11: Ensuring Reliable and Secure Supporting Utilities
Failure or disruptions of utilities such as electricity, gas, water, or cooling needed for proper and continuous functioning of information processing facilities may result in compromise of information assets or may intercept business continuity.
For example, the failure of air conditioning equipment in a data centre may lead to a sudden rise in temperature when the data centre is hit by a heatwave. This may cause servers hosting website and/or customer data to shut down, and thus result in loss of availability of data and disruptions to business operations.
Control 7.11 addresses how organisations can eliminate risks to the availability and integrity of information assets due to the failure of supporting utilities such as gas, cooling, telecommunications, water, and electricity.
Purpose of Control 7.11
Control 7.11 enables organisations to eliminate and mitigate risks to the availability and integrity of information assets and to the business continuity by putting in place appropriate measures that protect supporting utilities against failures and disruptions such as power outages.
Attributes Table of Control 7.11
Control 7.11 is both detective and preventive in nature as it requires organisations to take a proactive approach and implement precautionary measures against the risks to the proper and continuous functioning of utilities required for information processing facilities such as data centres, network systems, and computing equipment.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Integrity | #Protect | #Physical Security | #Protection |
| #Detective | #Availability | #Detect |
Ownership of Control 7.11
Control 7.11 entails identifying risks to the continuous operations of supporting utilities and implementation of appropriate measures and controls to ensure that availability and integrity of information assets are not affected by failures of these utilities.
While the facilities management team’s role and efforts are critical, the information security manager should bear the responsibility for compliance with Control 7.11.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
General Guidance on Compliance
After highlighting that supporting utilities such as water supply, electricity, communications, sewage, and air conditioning is vital to the operations carried out in information processing facilities.
General Guidance lists seven key recommendations organisations should take into account to comply with Control 7.11:
- Organisations should conform to the manufacturer’s instructions when configuring, using, and maintaining the devices used to control the utilities.
- Utilities should be audited to ensure that they are fit to fulfil business growth objectives and they operate with other utilities without any issue.
- All equipment supporting the utilities should go through regular inspections and testing so that there is no disruption or failure of their proper functioning.
- Depending on the level of risk to the information assets and business continuity, an alarm system can be established for malfunctioning equipment supporting the utilities.
- To minimise the risk, utilities should have multiple feeds with separate physical routing.
- The network connected to the equipment supporting utilities should be segregated from the network connected to IT facilities.
- Equipment supporting the utilities should be allowed to connect to the internet only if it is strictly necessary and this connection should be established in a secure manner.
Supplementary Guidance
Apart from the General Guidance, Control 7.11 entails recommendations on two specific issues:
- Emergency procedures
Organisations should determine an emergency contact person and record his/her contact details. These details should be provided to all personnel in the event a failure or disruption occurs.
Emergency switches and valves to halt utilities such as water, gas, and electricity should be placed near the emergency exits.
Emergency lighting and communications should be ready to be used in case an emergency arises.
- Network connectivity
Organisations can consider having additional routes from alternative service providers to increase network connectivity so that failures or disruptions of supporting utilities are prevented.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022/7.11 replaces 27002:2013/(11.2.2)
While the 2022 version is similar to the 2013 version to great extent, there is one key difference.
The ISO 27002:2022 version introduces the following two requirements in its General Guidance:
- The network connected to the equipment supporting utilities should be segregated from the network connected to IT facilities.
- Equipment supporting the utilities should be allowed to connect to the internet only if it is strictly necessary and this connection should be established in a secure manner.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
Companies can use ISMS.Online to help them with their ISO 27002 compliance efforts by providing them with a platform that makes it easy to manage their security policies and procedures, update them as needed, test them and monitor their effectiveness.
Our cloud-based platform allows you to quickly and easily manage all the aspects of your ISMS, including risk management, policies, plans, procedures and more, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.
Get in touch today to book a demo.
