1. Framework FAQs

ISO 27001: 2022 A.7.11 Supporting utilities

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.7.11 Supporting utilities.

Control

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Purpose

To prevent loss, damage, or compromise of information and associated assets, and to avoid interruptions to the organisation’s operations due to utility failures or disruptions.

Guidance

Organisations rely on various utilities, such as electricity, telecommunications, water supply, gas, sewage, ventilation, and air conditioning, to support their information processing facilities. To protect against disruptions, organisations should consider:

  1. Configuration and Maintenance - ensure that all equipment supporting utilities is properly configured, operated, and maintained according to the manufacturer’s specifications.
  2. Capacity and Interactions - regularly assess the capacity of utilities to accommodate business growth and how they interact with other supporting utilities.
  3. Inspection and Testing -regularly inspect and test the equipment supporting utilities to confirm they are functioning correctly.
  4. Malfunction Detection: implement alarms to detect any malfunctions in utilities if necessary.
  5. Multiple Utility Feeds: if required, ensure utilities have multiple feeds with diverse physical routing to prevent single points of failure.
  6. Network Separation: if the equipment supporting utilities is connected to a network, ensure it is on a separate network from the information processing facilities.
  7. Secure Internet Connections: ensure that equipment supporting utilities is connected to the internet only when necessary and that these connections are secure.

Emergency Preparedness:

  • Provide emergency lighting and communications.
  • Place emergency switches and valves to cut off power, water, gas, or other utilities near emergency exits or equipment rooms.
  • Maintain a record of emergency contact details and ensure they are accessible to staff in the event of an outage.

Other Information

Consider additional redundancy for network connectivity by securing multiple routes from different utility providers.