ISO 27001 Control 7.13: Equipment Maintenance

How to Keep Your Kit Safe, Reliable and Audit-Ready

ISO 27001 Control 7.13 Equipment maintenance is about more than just keeping the lights on and the fans spinning. It’s about making sure the equipment that processes, stores, or supports your information:

  • Works when you need it
  • Doesn’t introduce new vulnerabilities
  • Doesn’t leak or lose data while it’s being fixed

This control expects you to manage maintenance in a structured, security-conscious way – whether the work is done by your own team, your landlord, or third-party engineers.

This guide walks through what ISO 27001 Control 7.13 is really asking for and how to build a practical equipment maintenance regime that supports confidentiality, integrity, and availability.

What ISO 27001 Control 7.13 Actually Requires

In plain terms, ISO 27001 Control 7.13 – Equipment maintenance expects you to:

  • Maintain equipment according to planned schedules and supplier recommendations.
  • Make sure maintenance is done by authorised, competent people.
  • Protect information and assets while maintenance is taking place (on-site, off-site, or remotely).
  • Keep records of faults, maintenance activities, and inspections.
  • Check that equipment hasn’t been tampered with before putting it back into service.

This applies to more than just servers and laptops. It also covers:

  • Power systems (UPS, generators, PDUs)
  • Cooling and environmental controls
  • Security systems (CCTV, alarms, door controllers)
  • Fire detection and suppression
  • Lifts and other building systems that support your operations

If its failure could affect your information, your systems, or your ability to operate, ISO 27001 Control 7.13 wants you to maintain it deliberately and securely.

Step 1 – Decide What Falls Under “Equipment Maintenance”

Before you can comply with ISO 27001 Control 7.13, you need to be clear about which equipment is in scope.

Typical candidates:

  • Information processing equipment
    – Servers, storage, network devices, firewalls, Wi-Fi access points
    – End-user devices where you manage hardware lifecycle centrally
  • Supporting infrastructure
    – UPS, batteries, generators, PDUs
    – Air conditioning, ventilation and environmental monitoring
    – Door access systems, CCTV, intrusion detection
  • Life safety and building systems (where relevant to operations)
    – Smoke detectors, alarms, fire suppression
    – Lifts and critical building controls that support access to secure areas

Create a simple asset list or register that marks which items require formal maintenance and who is responsible (IT, Facilities, landlord, third party, etc.). That list becomes your anchor for ISO 27001 Control 7.13.

Step 2 – Build a Planned Maintenance Programme

Rather than reacting when equipment fails, ISO 27001 Control 7.13 expects a planned maintenance programme.

Good practice includes:

  • Using vendor recommendations
    – Base your maintenance intervals (e.g. quarterly, annually) on supplier guidance where it exists.
    – Factor in environment and criticality – harsh environments or critical systems may need more frequent checks.
  • Combining preventive and corrective maintenance
    – Preventive: scheduled servicing, inspections, firmware updates, cleaning, testing.
    – Corrective: structured handling of faults and failures when they occur.
  • Linking to risk and criticality
    – High-impact systems (e.g. core firewalls, UPS protecting the data centre) get more frequent and thorough checks.
    – Less critical kit may only need basic periodic checks.
  • Scheduling and tracking
    – Use a CMMS, service desk tool, or even a simple spreadsheet to record:
    • What needs maintaining
    • How often
    • When it was last done
    • Who did it and what they found

Auditors will often ask to see evidence of a maintenance programme for ISO 27001 Control 7.13. Having this planned view makes that conversation easy.

Step 3 – Use Authorised, Competent Personnel Only

Control 7.13 is explicit that equipment maintenance should be carried out by authorised personnel.

That usually means:

  • Internal staff
    – Have documented roles, responsibilities, and appropriate training.
    – Follow your internal procedures and change management processes.
  • External engineers and third parties
    – Are engaged under a contract that includes security and confidentiality requirements.
    – Have been vetted to a level appropriate to the sensitivity of the systems they’ll access.

You should also:

  • Maintain a list of approved suppliers and contractors for key equipment.
  • Ensure all maintenance personnel are bound by confidentiality obligations.
  • Limit what they can access to only what’s needed for the work.

From an ISO 27001 Control 7.13 point of view, “anyone can open the rack and start fiddling with cables” is exactly what you’re trying to avoid.

Step 4 – Protect Information During Maintenance (On-Site and Off-Site)

During maintenance, equipment is often in a more vulnerable state – covers off, drives exposed, consoles unlocked, devices powered down, or removed from secure areas.

To align with ISO 27001 Control 7.13:

On-site maintenance

  • Supervise where appropriate
    – Especially for third-party engineers working in secure areas or on sensitive systems.
    – Accompany them into server rooms, comms rooms, and other secure zones.
  • Control access
    – Ensure only authorised people can reach equipment under maintenance.
    – Keep doors closed and locked where possible; don’t leave equipment unattended.
  • Handle media and data carefully
    – Remove or encrypt storage media if equipment must be left unattended.
    – Ensure engineers can’t copy data for their own purposes.

Off-site maintenance

If equipment containing or storing data leaves your premises:

  • Decide whether it can leave with data on it at all
    – For highly sensitive systems, it may be safer to remove or securely erase storage first and send only the chassis or components.
  • Track the equipment
    – Record what’s leaving, with which organisation, and when it’s expected back.
    – Use return labels, serial numbers, and asset IDs.
  • Apply appropriate protections in transit
    – Packaging, tamper-evident seals, and tracked or secure courier options where justified by risk.
  • Check it on return
    – Inspect for tampering, verify configuration, and confirm security controls (e.g. encryption, agents, logging) are still in place before reconnecting.

That combination of controls is what demonstrates to an auditor that ISO 27001 Control 7.13 is being taken seriously.

Step 5 – Secure Remote Maintenance

Remote maintenance is extremely convenient – and a common attack path. ISO 27001 Control 7.13 expects remote maintenance to be authorised, controlled, and monitored.

Practical points:

  • Authorisation and scheduling
    – Only allow remote maintenance when formally approved (ticket, change request, or similar).
    – Restrict it to defined windows where appropriate.
  • Strong authentication and secure channels
    – Use VPN, secure tunnels or bastion hosts – never open insecure services directly to the internet “just for the engineer”.
    – Apply multi-factor authentication for remote admin access.
  • Least privilege
    – Provide only the access rights necessary to do the job.
    – Use time-bound accounts or access tokens where possible.
  • Monitoring and logging
    – Log remote access sessions and commands for sensitive systems.
    – If realistic, have someone locally monitor or shadow the session.

Once maintenance is complete, disable or revoke temporary access. That’s exactly the kind of control ISO 27001 Control 7.13 is pointing towards.

Step 6 – Record Faults, Maintenance, and Inspections

A key part of ISO 27001 Control 7.13 is record-keeping. It shows you’re actually doing what your procedures say.

You should record:

  • Faults and incidents
    – Date and time, symptoms, affected equipment, and impact.
    – Root cause where identified.
  • Preventive maintenance
    – What was done, when, by whom, and on which asset.
    – Any findings or recommended follow-up actions.
  • Corrective maintenance
    – Parts replaced, configuration changes made, and tests performed after repair.
  • Inspections and checks
    – Visual inspections, safety tests, performance checks.

These records help you:

  • Spot recurring issues and weak points.
  • Prove to auditors that maintenance under ISO 27001 Control 7.13 is actually happening.
  • Demonstrate you’re managing operational risk, not just reacting.

Step 7 – Verify Equipment After Maintenance and Manage End-of-Life

Don’t just plug equipment back in and hope for the best. ISO 27001 Control 7.13 expects a proper post-maintenance check and a secure approach to end-of-life.

After maintenance

Before returning equipment to normal service:

  • Functionality tests
    – Confirm it does what it’s supposed to do (e.g. network throughput, UPS switchover, cooling performance).
  • Security checks
    – Confirm configurations, security settings, certificates, logging, and monitoring agents are still in place.
    – Verify no default accounts have been re-enabled and no test accounts were left behind.
  • Tamper checks
    – Look for signs of unauthorised modification if equipment has been off-site or in third-party hands.

Disposal or reuse

When equipment is no longer needed:

  • Apply your secure reuse / disposal procedures (e.g. secure wipe, physical destruction, certified disposal providers).
  • Remove it from the maintenance programme and asset register.
  • Keep disposal records, especially for devices that held sensitive information.

Even though disposal is covered more directly by other controls, ISO 27001 Control 7.13 expects you to link maintenance and end-of-life sensibly.

Quick Implementation Checklist for ISO 27001 Control 7.13

Use this to benchmark your current equipment maintenance approach:

  • ISO 27001 Control 7.13 (Equipment maintenance) is referenced in your ISMS documentation.
  • You have identified which assets require formal maintenance (IT equipment, UPS, cooling, security systems, etc.).
  • There is a planned maintenance programme based on supplier guidance and risk/criticality.
  • Maintenance is carried out only by authorised, competent personnel (internal or external).
  • Records of faults, preventive maintenance, and corrective maintenance are kept and reviewed.
  • Controls are in place to protect information during maintenance (supervision, access control, handling of media).
  • Remote maintenance is authorised, secured and monitored, with temporary access removed afterwards.
  • Off-site maintenance is managed with tracking, contractual controls and post-return checks.
  • Maintenance-related obligations from insurers, landlords or contracts are understood and met.
  • Equipment is checked for tampering and correct operation before being put back into service.
  • End-of-life equipment is handled using secure reuse/disposal procedures and removed from the maintenance schedule.

Bringing It All Together

ISO 27001 Control 7.13 – Equipment maintenance – is about treating maintenance as a controlled, security-relevant activity, not just “something the engineer sorts out”.

If you:

  • Know which equipment matters,
  • Maintain it on a planned basis,
  • Protect information while it’s being worked on, and
  • Keep clear records and checks around the whole process,

you’ll reduce the risk of downtime, data compromise, and nasty surprises – and you’ll be able to show any auditor that equipment maintenance is firmly embedded in your ISMS, not handled ad hoc.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG