1. Framework FAQs

ISO 27001: 2022 A.7.13 Equipment maintenance

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.7.13 Equipment maintenance.

ISO 27001: 2022 Control Description

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

Purpose

To prevent loss, damage, theft, or compromise of information and other associated assets, and to avoid interruptions to the organisation’s operations due to inadequate maintenance.

Guidance on implementation

Follow these guidelines to maintain equipment properly:

a) Adhere to Specifications: Maintain equipment according to the supplier’s recommended service frequency and specifications.

b) Maintenance Programme: Implement and monitor a regular maintenance programme for all equipment.

c) Authorised Personnel: Ensure that only authorised maintenance personnel carry out repairs and maintenance.

d) Record Keeping: Keep detailed records of all suspected or actual faults, as well as all preventive and corrective maintenance activities.

e) Maintenance Controls: Apply appropriate controls when equipment is scheduled for maintenance. This includes considering whether maintenance is done on-site or by external personnel, and ensuring that maintenance personnel are subject to confidentiality agreements.

f) Supervision: Supervise maintenance personnel when they perform work on-site.

g) Remote Maintenance: Authorise and control access for remote maintenance activities.

h) Off-Premises Security: Implement security measures if equipment containing information is taken off-premises for maintenance.

i) Insurance Requirements: Comply with all maintenance requirements set by insurance policies.

j) Post-Maintenance Inspection: Inspect equipment before returning it to operation to ensure it has not been tampered with and is functioning correctly.

k) Secure Disposal or Reuse: Apply measures for the secure disposal or reuse of equipment if it is to be disposed of.

Additional Information

Equipment includes technical components of information processing facilities, uninterruptible power supplies (UPS), batteries, power generators, power alternators and converters, physical intrusion detection systems, alarms, smoke detectors, fire extinguishers, air conditioning units, and lifts.