Skip to content
ISMS.online

ISO 27002:2022 – Control 7.13 – Equipment Maintenance

ISO 27002 Control 7.13 outlines best practices for equipment maintenance to protect information assets from loss, damage, or unauthorised access, ensuring compliance with security protocols and manufacturer guidelines.

Author
Sam Peters
Updated July 25, 2025
4/5 Stars

Ensuring Secure and Compliant Equipment Maintenance Under ISO 27002 Control 7.13

IT equipment such as servers, laptops, network devices, and printers are vital to many information processing operations such as storage, use, and transfer of information assets.

However, if this equipment is not maintained taking into account product specifications and environmental risks, it may degrade in quality and performance. This lack of maintenance may result in the compromise of availability, integrity, and confidentiality of information assets stored on this equipment.

For example, if an organisation fails to perform regular maintenance on server hardware, it may not recognise that the disk space is full. This may result in loss of data transmitted to or out of the server.

Furthermore, employees or external service providers may gain access to IT equipment as part of the maintenance procedure and this may also present risks to the confidentiality of sensitive information.

For instance, an external maintenance service provider may gain access to sensitive information stored on laptops or install malware into devices.

Control 7.13 deals with how organisations can establish and implement appropriate procedures and measures for the proper maintenance of equipment so that the information assets stored on this equipment are not compromised.

Purpose of Control 7.13

Control 7.13 enables organisations to put in place necessary technical measures and procedures to carry out proper maintenance activities on equipment used to store information assets.

These measures and procedures provide assurance that information assets are not lost or damaged, and they are not exposed to the risk of compromise such as unauthorised access.

Attributes Table of Control 7.13

Control 7.13 is a preventive type of control that requires organisations to take a proactive approach to equipment maintenance.

It entails detecting risks that may arise due to lack of maintenance, establishing equipment maintenance procedures taking into account each equipment’s specifications, and applying appropriate controls that will protect information assets hosted on this equipment against compromise.

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive #Confidentiality #Protect #Physical Security #Protection
#Integrity #Asset Management #Resilience
#Availability


climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


Ownership of Control 7.13

Compliance with Control 7.13 entails creating a list of equipment, carrying out a risk assessment based on environmental factors and product specifications and establishing and implementing suitable procedures and measures for proper maintenance.

While the role of individuals handling this equipment on a daily basis is critical, the information security manager should bear the responsibility for compliance with Control 7.13.

General Guidance on Compliance

Control 7.13 lists 11 specific recommendations for organisations to consider:

  1. Maintenance procedures should conform to the equipment manufacturer’s specifications such as recommended service frequency.
  2. Organisations should establish and apply a maintenance programme for all equipment.
  3. Only the authorised personnel or third parties should be allowed to perform maintenance activities or repairs on equipment.
  4. Organisations should create and maintain a record of all equipment malfunctioning and faults. Furthermore, this record should also include all maintenance activities carried out on equipment.
  5. Organisations should apply suitable measures during the performance of maintenance, considering whether the maintenance is performed by an employee or a third-party service provider. Furthermore, the relevant personnel should sign a confidentiality agreement.
  6. Personnel performing the maintenance work should be supervised at all times.
  7. Remote maintenance work should be subject to strict access and authorisation procedures.
  8. If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures in accordance with Control 7.9.
  9. Organisations should adhere to all requirements imposed by insurance providers on how to carry out maintenance.
  10. Organisations should inspect equipment that went through maintenance work to ensure that it is not tampered with and functions properly.
  11. If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures taking into account the requirements set out in Control 7.14.

Supplementary Guidance on Control 7.14

The Control 7.13 states that the following are considered equipment and fall under the scope of Control 7.13:

  1. Technical components of information processing facilities
  2. Batteries
  3. Fire extinguishers
  4. Lifts
  5. Power converters
  6. Air conditioners
  7. Similar assets


ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Changes and Differences from ISO 27002:2013

27002:2022/7.13 replaces 27002:2013/(11.2.4)

The 2022 Version Contains More Comprehensive Requirements

Compared to the 2013 version, the Control 7.13 in the 2022 Version sets out more comprehensive requirements. Whereas the 2013 version only listed six specific requirements, the Control 7.13 contains 11 requirements.

Control 7.13 introduces the five following requirements, which were not addressed in the 2013 Version:

  • Organisations should establish and apply a maintenance programme for all equipment.
  • Personnel performing the maintenance work should be supervised at all times.
  • Remote maintenance work should be subject to strict access and authorisation procedures.
  • If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures in line with Control 7.14.
  • If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures in accordance with Control 7.9.

The 2022 Version Defines ‘Equipment’

In the Supplementary Guidance, the control 7.13 defines what falls under the scope of ‘Equipment’. In contrast, the 2013 Version did not refer to the meaning of ‘Equipment’.

New ISO 27002 Controls

New Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.7 NEW Threat intelligence
5.23 NEW Information security for use of cloud services
5.30 NEW ICT readiness for business continuity
7.4 NEW Physical security monitoring
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.16 NEW Monitoring activities
8.23 NEW Web filtering
8.28 NEW Secure coding
Organisational Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.1 05.1.1, 05.1.2 Policies for information security
5.2 06.1.1 Information security roles and responsibilities
5.3 06.1.2 Segregation of duties
5.4 07.2.1 Management responsibilities
5.5 06.1.3 Contact with authorities
5.6 06.1.4 Contact with special interest groups
5.7 NEW Threat intelligence
5.8 06.1.5, 14.1.1 Information security in project management
5.9 08.1.1, 08.1.2 Inventory of information and other associated assets
5.10 08.1.3, 08.2.3 Acceptable use of information and other associated assets
5.11 08.1.4 Return of assets
5.12 08.2.1 Classification of information
5.13 08.2.2 Labelling of information
5.14 13.2.1, 13.2.2, 13.2.3 Information transfer
5.15 09.1.1, 09.1.2 Access control
5.16 09.2.1 Identity management
5.17 09.2.4, 09.3.1, 09.4.3 Authentication information
5.18 09.2.2, 09.2.5, 09.2.6 Access rights
5.19 15.1.1 Information security in supplier relationships
5.20 15.1.2 Addressing information security within supplier agreements
5.21 15.1.3 Managing information security in the ICT supply chain
5.22 15.2.1, 15.2.2 Monitoring, review and change management of supplier services
5.23 NEW Information security for use of cloud services
5.24 16.1.1 Information security incident management planning and preparation
5.25 16.1.4 Assessment and decision on information security events
5.26 16.1.5 Response to information security incidents
5.27 16.1.6 Learning from information security incidents
5.28 16.1.7 Collection of evidence
5.29 17.1.1, 17.1.2, 17.1.3 Information security during disruption
5.30 5.30 ICT readiness for business continuity
5.31 18.1.1, 18.1.5 Legal, statutory, regulatory and contractual requirements
5.32 18.1.2 Intellectual property rights
5.33 18.1.3 Protection of records
5.34 18.1.4 Privacy and protection of PII
5.35 18.2.1 Independent review of information security
5.36 18.2.2, 18.2.3 Compliance with policies, rules and standards for information security
5.37 12.1.1 Documented operating procedures
People Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
6.1 07.1.1 Screening
6.2 07.1.2 Terms and conditions of employment
6.3 07.2.2 Information security awareness, education and training
6.4 07.2.3 Disciplinary process
6.5 07.3.1 Responsibilities after termination or change of employment
6.6 13.2.4 Confidentiality or non-disclosure agreements
6.7 06.2.2 Remote working
6.8 16.1.2, 16.1.3 Information security event reporting
Physical Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
7.1 11.1.1 Physical security perimeters
7.2 11.1.2, 11.1.6 Physical entry
7.3 11.1.3 Securing offices, rooms and facilities
7.4 NEW Physical security monitoring
7.5 11.1.4 Protecting against physical and environmental threats
7.6 11.1.5 Working in secure areas
7.7 11.2.9 Clear desk and clear screen
7.8 11.2.1 Equipment siting and protection
7.9 11.2.6 Security of assets off-premises
7.10 08.3.1, 08.3.2, 08.3.3, 11.2.5 Storage media
7.11 11.2.2 Supporting utilities
7.12 11.2.3 Cabling security
7.13 11.2.4 Equipment maintenance
7.14 11.2.7 Secure disposal or re-use of equipment
Technological Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
8.1 06.2.1, 11.2.8 User endpoint devices
8.2 09.2.3 Privileged access rights
8.3 09.4.1 Information access restriction
8.4 09.4.5 Access to source code
8.5 09.4.2 Secure authentication
8.6 12.1.3 Capacity management
8.7 12.2.1 Protection against malware
8.8 12.6.1, 18.2.3 Management of technical vulnerabilities
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.13 12.3.1 Information backup
8.14 17.2.1 Redundancy of information processing facilities
8.15 12.4.1, 12.4.2, 12.4.3 Logging
8.16 NEW Monitoring activities
8.17 12.4.4 Clock synchronization
8.18 09.4.4 Use of privileged utility programs
8.19 12.5.1, 12.6.2 Installation of software on operational systems
8.20 13.1.1 Networks security
8.21 13.1.2 Security of network services
8.22 13.1.3 Segregation of networks
8.23 NEW Web filtering
8.24 10.1.1, 10.1.2 Use of cryptography
8.25 14.2.1 Secure development life cycle
8.26 14.1.2, 14.1.3 Application security requirements
8.27 14.2.5 Secure system architecture and engineering principles
8.28 NEW Secure coding
8.29 14.2.8, 14.2.9 Security testing in development and acceptance
8.30 14.2.7 Outsourced development
8.31 12.1.4, 14.2.6 Separation of development, test and production environments
8.32 12.1.2, 14.2.2, 14.2.3, 14.2.4 Change management
8.33 14.3.1 Test information
8.34 12.7.1 Protection of information systems during audit testing

How ISMS.online Helps

ISMS.Online enables you to:

  • Document your processes. This intuitive interface allows you to document your processes without installing any software on your computer or network.
  • Automate your risk assessment process.
  • Demonstrate compliance easily with online reports and checklists.
  • Keep a record of progress while working toward certification.
  • ISMS.Online offers a full range of features to help organisations and businesses achieve compliance with the industry standard ISO 27001 and/or ISO 27002 ISMS.

Get in touch today to book a demo.

Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on crystal

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Fall 2025
High Performer, Small Business - Fall 2025 UK
Regional Leader - Fall 2025 Europe
Regional Leader - Fall 2025 EMEA
Regional Leader - Fall 2025 UK
High Performer - Fall 2025 Europe Mid-market

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.