Contribute to the cybersecurity survey asking the questions others didn't dare to... Click here

ISO 27001 Control 7.11: Supporting Utilities

How to Keep Power, Cooling and Connectivity from Taking You Down

ISO 27001 Control 7.11 Supporting utilities is about all the “dull but worthy” things that quietly keep your information processing facilities running: power, cooling, water, communications, building systems, and so on.

When those supporting utilities fail, your servers, networks and applications can go down with them – and in the worst case, you can lose or corrupt information. Control 7.11 asks you to design, protect and monitor supporting utilities so that your critical systems stay available and stable.

This guide explains what ISO 27001 Control 7.11 is really asking for, and how to put practical measures in place around power, cooling, connectivity and other utilities.

What ISO 27001 Control 7.11 Actually Requires

In plain English, ISO 27001 Control 7.11 – Supporting utilities expects you to:

  • Identify which utilities your information processing facilities depend on (power, cooling, network, water, gas, etc.).
  • Make sure they are designed, configured and maintained so they can support your operations reliably.
  • Put redundancy, monitoring and alarms in place where failure would have a serious impact.
  • Plan for emergencies and outages, so you can respond quickly and safely when something goes wrong.

This is mainly about integrity and availability – preventing your systems from crashing, corrupting data, or becoming unusable because a supporting utility failed.

Step 1 – Work Out Which Supporting Utilities Really Matter

Start by listing the supporting utilities your information processing facilities rely on. For ISO 27001 Control 7.11, that usually includes:

  • Electrical power
    – Mains supply, UPS, generators, power distribution units (PDUs).
  • Cooling and environmental control
    – Air conditioning, ventilation, fans, environmental sensors.
  • Network and communications
    – Internet connectivity, WAN links, telephony, leased lines, fibre.
  • Other building services (where relevant)
    – Water or gas supplies needed for key systems or fire suppression.
    – Building management systems (BMS) controlling HVAC, power, access, etc.

Then ask:

  • Which information processing facilities depend on each utility?
  • What happens to availability and data integrity if the utility fails?
  • Where are the single points of failure?

This forms the basis of your risk assessment and helps you decide how far you need to go to comply with ISO 27001 Control 7.11.

Step 2 – Configure and Maintain Utility-Supporting Equipment Properly

Supporting utilities only help you if the equipment that delivers them is designed and looked after properly.

For ISO 27001 Control 7.11, make sure that:

  • UPS, generators and power distribution equipment
    – Are sized to support your critical loads.
    – Are installed according to manufacturer specifications and local standards.
    – Have documented run times and failover behaviour.
  • Cooling systems
    – Are configured to maintain safe operating temperatures for your kit.
    – Have sufficient capacity for current and planned future loads.
    – Are monitored for failures and thresholds (temperature/humidity alerts).
  • Network and comms equipment
    – Routers, switches, firewalls and edge devices are configured securely.
    – Provider CPE (customer premises equipment) is documented and checked.
  • Maintenance and servicing
    – Planned preventative maintenance (PPM) is scheduled and recorded.
    – Firmware and software on utility-related devices are kept up to date where appropriate.
    – Contracts with landlords, facility managers or third parties define who does what.

Control 7.11 is satisfied more easily if you can show clear documentation for configuration, maintenance schedules and service records.

Step 3 – Inspect, Test and Monitor Supporting Utilities

To support integrity and availability, ISO 27001 Control 7.11 expects you to spot problems early and react quickly.

Practical steps include:

  • Regular inspections
    – Visual checks of UPS, generators, distribution boards, cooling units, cabling.
    – Look for leaks, damage, unusual noise, clutter around critical equipment.
  • Planned testing
    – Testing generator start-up and automatic transfer switch (ATS) operation.
    – Periodic validation of UPS failover and load.
    – Simulated comms failures or failover tests for network resilience.
  • Monitoring and alarms
    – Environmental monitoring (temperature, humidity, water leaks) in server rooms and comms areas.
    – Alerts on mains failure, UPS on battery, generator faults, high load, network link down, etc.
    – Clear on-call or escalation routes when alarms trigger.

The goal is to move from “we found out when it failed” to “we see early warning signs and deal with them before they cause an outage” – exactly what ISO 27001 Control 7.11 is driving at.

Step 4 – Design Redundancy and Diversity into Supporting Utilities

You don’t always need gold-plated resilience everywhere, but for critical facilities ISO 27001 Control 7.11 expects you to think carefully about redundancy.

Options include:

  • Power redundancy
    – Dual power feeds to critical servers and network devices.
    – UPS protecting key systems, with sufficient runtime for graceful shutdown or generator start-up.
    – Generators or secondary power sources for prolonged outages.
  • Cooling redundancy
    – Multiple AC units so that if one fails, others can maintain safe temperatures.
    – Load sharing and failover configurations.
  • Network and connectivity redundancy
    – Multiple WAN links using different providers or routes.
    – Redundant edge devices (e.g. firewalls, routers) in HA pairs.
    – Avoiding a single demarcation point where possible.
  • Physical diversity
    – Cables and utilities routed through different paths where practical (e.g. separate risers or conduits).
    – Avoiding single ducts that carry power and all network links together.

Not every organisation needs full N+1 everything, but you should be able to explain how your design choices match the criticality of your services under ISO 27001 Control 7.11.

Step 5 – Secure and Segment Network-Connected Utility Equipment

Many modern building and utility systems are network-enabled: smart UPS units, environmental monitors, IP-enabled power strips, HVAC controllers, and so on. They’re convenient – and they can be an attack path.

For ISO 27001 Control 7.11, you should:

  • Connect utility equipment to the network only when necessary
    – Don’t expose devices if local-only control is sufficient.
    – Turn off unnecessary remote access services.
  • Segment and isolate
    – Place building and utility systems on separate network segments from production information systems.
    – Apply strict firewall rules between these segments.
  • Secure configurations
    – Change default passwords and disable unused accounts.
    – Apply patches and firmware updates where supported and safe.
    – Use secure management protocols (e.g. HTTPS, SSH) rather than legacy insecure ones.
  • Secure internet connectivity (if needed)
    – If a vendor or monitoring service needs remote access, ensure VPNs or other secure methods are used.
    – Avoid exposing building or utility controls directly to the public internet.

This supports both the protection and detection aspects of ISO 27001 Control 7.11.

Step 6 – Prepare for Utility Outages and Emergencies

Supporting utilities will fail at some point. ISO 27001 Control 7.11 expects you to be able to respond safely and quickly.

Key elements:

  • Emergency lighting and communications
    – Emergency lighting in critical areas so staff can move safely during power loss.
    – Battery-powered or alternative communications for key staff (e.g. mobiles, radios).
  • Emergency switches and valves
    – Clearly marked and accessible power isolation switches, gas shut-off valves, and water stopcocks near exits or equipment rooms.
    – Procedures describing when and how they should be used.
  • Emergency contacts
    – Up-to-date contact details for utility providers, building management, landlords, and key internal staff.
    – Easily accessible – e.g. posted in comms rooms and stored in offline-ready formats.
  • Integration with business continuity and incident response
    – Utility failures should be covered in your business continuity and incident response plans.
    – Staff should know how to declare an incident, who to notify, and what immediate actions to take.

This ties ISO 27001 Control 7.11 into your broader resilience and continuity approach.

Step 7 – Document, Plan Capacity and Train People

Finally, ISO 27001 Control 7.11 expects you to manage supporting utilities deliberately, not just react informally.

You should have:

  • Documentation
    – Diagrams or descriptions of how power, cooling and network utilities support information processing facilities.
    – Configuration and maintenance records for key utility-supporting equipment.
    – Emergency procedures and contact lists.
  • Capacity planning
    – Regular review of power draw, cooling load and network utilisation.
    – Planning ahead for growth in systems, users, and data volumes.
  • Training and awareness
    – Training for facilities, IT and security staff on how utilities work and how to respond to issues.
    – Basic awareness for other staff about what to do in the event of outages (and what not to do).

This helps you show that ISO 27001 Control 7.11 is embedded in normal operations, not treated as a one-off project.

Quick Implementation Checklist for ISO 27001 Control 7.11

Use this checklist to review your approach to supporting utilities:

  • ISO 27001 Control 7.11 (Supporting utilities) is documented in your ISMS.
  • Critical information processing facilities have identified utility dependencies (power, cooling, network, etc.).
  • Utility-supporting equipment (UPS, generators, cooling, network gear) is configured and maintained according to manufacturer specifications.
  • Regular inspections and tests are carried out and recorded (UPS/generator tests, environmental checks, network failover).
  • Alarms and monitoring are in place for power issues, environmental thresholds and network failures.
  • Appropriate redundancy and diversity (power, cooling, network) exists where a single failure would seriously impact operations.
  • Utility-supporting equipment that is network-connected is secured and segmented from production systems.
  • There are clear emergency procedures, including isolation switches/valves, emergency lighting and contact details.
  • Supporting utilities are covered in capacity planning, business continuity and incident response plans.
  • Relevant staff are trained on how to operate, monitor and respond to issues with supporting utilities.

Bringing It All Together

ISO 27001 Control 7.11 – Supporting utilities – is about making sure the things that keep your information processing facilities alive and stable are designed, protected and monitored with intent.

If you:

  • Understand which utilities your systems depend on,
  • Configure and maintain them properly with redundancy and monitoring, and
  • Prepare for outages with clear procedures and trained people,

you’ll greatly reduce the chance that a power glitch, cooling failure or network outage will bring down your critical services – and you’ll be able to demonstrate to an auditor that supporting utilities are managed as part of a mature, resilient ISMS.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG