ISO 27001 Control 7.8: Equipment Siting & Protection

How to Put Your Kit in the Right Place – and Keep It Safe

ISO 27001 Control 7.8 Equipment siting and protection is all about where you put your equipment and how you protect it once it’s there.

It’s easy to focus on firewalls, encryption and access control, but if your servers sit under a leaking pipe, or sensitive screens face a public walkway, the basics are already broken. Control 7.8 expects you to think deliberately about placement, environment and physical protection so that your equipment can operate safely and reliably.

This guide explains what ISO 27001 Control 7.8 is really asking for – and how to design sensible, practical equipment siting and protection in offices, comms rooms, data rooms and industrial spaces.

What ISO 27001 Control 7.8 Actually Requires

In plain English, ISO 27001 Control 7.8 – Equipment siting and protection expects you to:

  • Place equipment in locations that reduce the risk of theft, damage, or unauthorised access.
  • Position information processing equipment so that data can’t be easily overlooked or captured by others.
  • Protect equipment from physical and environmental threats (fire, water, dust, chemicals, power surges, etc.).
  • Monitor environmental conditions (e.g. temperature, humidity) where it matters.
  • Apply additional protections in harsher or industrial environments.
  • Keep your equipment physically separated from facilities you don’t control.

It’s a preventive control that supports confidentiality, integrity and availability by making sure your kit is:

  • In the right place
  • Protected from predictable hazards
  • Harder to reach, observe or interfere with without permission

Step 1 – Decide Which Equipment Needs Thoughtful Siting

Start by working out which equipment is in scope for ISO 27001 Control 7.8. Typically, that includes:

  • Servers, storage, and network equipment (racks, switches, firewalls, routers)
  • User endpoint devices in open-plan, reception, or public-facing areas
  • Multi-function printers and scanners handling sensitive documents
  • Comms cabinets and small network rooms on remote sites
  • Industrial control kit or terminals in plant or warehouse environments

Ask yourself:

  • What would happen if this was stolen, damaged, or interfered with?
  • Could someone view or overhear sensitive information easily from nearby?
  • Is this equipment exposed to heat, moisture, dust, chemicals, vibration or knocks?

Anything where the answer is “yes, that would really hurt us” deserves deliberate siting and protection under ISO 27001 Control 7.8.

Step 2 – Reduce Unnecessary Access to Equipment

The first principle: if equipment is important, don’t make it easy for everyone to get near it.

Practical measures for ISO 27001 Control 7.8:

  • Put critical equipment in controlled areas
    – Use server rooms, comms rooms or locked cupboards rather than open corridors.
    – Keep comms cabinets out of public spaces and shared lobbies where possible.
  • Design workspaces to limit through-traffic
    – Avoid placing racks, critical workstations or printers on obvious cut-through routes.
    – Place them in staff-only zones, not in reception or waiting areas.
  • Separate your equipment from third-party kit
    – In co-located or shared facilities, ensure your racks, cabinets or rooms are physically distinct and lockable.
    – Don’t share unsecured cabinets with other organisations if you can avoid it.

The aim under ISO 27001 Control 7.8 is not to hide equipment completely, but to ensure only people who need to be near it regularly can get near it easily.

Step 3 – Protect Confidentiality by Controlling What People Can See

Where equipment is used to display or handle sensitive information, you also need to think about line of sight.

For ISO 27001 Control 7.8:

  • Position screens away from prying eyes
    – Don’t face monitors towards public areas, guest seating, or windows onto corridors.
    – Turn desks or move screens so that someone would have to be obviously looking to see what’s on them.
  • Use privacy screens and partitions where needed
    – Fit privacy filters to monitors displaying personal or confidential information in open areas.
    – Use modesty panels, screens or partitions to shield workstations with higher sensitivity.
  • Be careful with shared displays
    – Meeting room and collaboration screens should not show inboxes, dashboards, or other sensitive content by default.
    – Lock or blank them when not in use.

This side of ISO 27001 Control 7.8 dovetails nicely with clear screen and secure areas controls – they all tackle the risk of casual visual access.

Step 4 – Protect Equipment from Physical and Environmental Threats

ISO 27001 Control 7.8 is closely linked to physical and environmental protection. Here, the focus is: given where you’ve placed the equipment, what could go wrong physically?

Key threats and mitigations:

  • Theft and vandalism
    – Secure racks and cabinets with locks; bolt racks to the floor where appropriate.
    – Use anchor points or lockable furniture for high-value equipment in visible areas.
  • Fire, smoke and heat
    – Keep equipment away from obvious fire hazards and heat sources.
    – Make sure server rooms and comms rooms are covered by appropriate detection and suppression systems (in line with your Control 7.5 measures).
  • Water and leaks
    – Don’t put racks directly under water pipes, tanks, or known leak-prone areas if you can avoid it.
    – Use drip trays and leak detection under raised floors near critical kit.
  • Dust, chemicals and contamination
    – Avoid putting critical kit in areas with heavy dust, aerosols or corrosive substances.
    – Use filtered enclosures or dust protection in industrial or warehouse environments.
  • Electrical interference and surges
    – Keep equipment away from sources of strong electromagnetic interference where possible.
    – Use surge protection and appropriate earthing on power and communications lines.
  • Comm lines and electromagnetic radiation
    – Protect exposed comms cabling and entry points from damage or accidental disconnection.
    – For very sensitive environments, consider measures to limit electromagnetic emanations.

The point for ISO 27001 Control 7.8 is to be able to show: we understood what could hurt this equipment in this location and we put proportionate controls in place.

Step 5 – Monitor Environmental Conditions Where It Matters

For some equipment, particularly in server rooms and comms rooms, it’s not enough to place it somewhere sensible – you need to actively monitor the environment.

To support ISO 27001 Control 7.8:

  • Monitor temperature and humidity
    – Use sensors to track conditions in rooms with critical equipment.
    – Set alert thresholds for high temperature or humidity so you can act before systems fail.
  • Integrate with alerting and maintenance
    – Route alerts to whoever is on the hook (IT, facilities, third-party providers).
    – Investigate and record incidents where environmental conditions breach thresholds.
  • Check airflow and obstructions
    – Keep vents and fans clear.
    – Don’t stack boxes or furniture against equipment that needs airflow.

This monitoring supports both availability (by avoiding failure) and integrity (by preventing damage that could corrupt data).

Step 6 – Control Behaviour Around Equipment

Sometimes, equipment sits in perfectly reasonable locations – and then people undermine that by treating it like a coffee table.

ISO 27001 Control 7.8 expects you to have basic rules about how people behave around equipment, for example:

  • No eating or drinking near critical kit
    – Particularly around servers, comms racks, multi-function devices and shared workstations.
    – Provide alternative nearby spaces for drinks and snacks.
  • No smoking or vaping near equipment
    – Aside from health and legal issues, smoke residues and particulates can damage sensitive electronics.
  • Tidy cabling and safe access
    – Don’t leave trailing cables across walkways where they can be kicked, pulled or tripped over.
    – Label cables and keep them organised in racks and cabinets.

These small behavioural controls make it easier to show that ISO 27001 Control 7.8 is being considered in everyday operations, not just in high-level design.

Step 7 – Protect Against Lightning and Power Events

Where lightning and power disturbances are realistic threats, ISO 27001 Control 7.8 expects you to build protection into your facilities.

Typical measures:

  • Lightning protection for buildings
    – Install or verify building lightning protection where required by local standards and risk profile.
  • Surge and lightning filters on incoming lines
    – Fit surge protection on mains feeds and, where appropriate, on incoming comms lines.
    – Ensure surge protection devices are properly rated and periodically checked.

This complements your broader supporting utilities and power protection controls, and helps protect both equipment and data from sudden power-related damage.

Step 8 – Use Special Protection in Harsh or Industrial Environments

If equipment is used in industrial, outdoor, or otherwise harsh conditions, ISO 27001 Control 7.8 expects you to go beyond normal office-grade protections.

Examples:

  • Ruggedised or industrial enclosures
    – Use sealed enclosures for dusty, wet or corrosive environments.
    – Consider IP-rated housings where liquids or particles are a concern.
  • Protective covers and membranes
    – Keyboard and port covers to protect against dust, debris, or spillages.
    – Screen covers or shields against knocks and chemical splashes.
  • Shock and vibration management
    – Mount equipment on suitable brackets or shock absorbers where vibration is likely (e.g. near heavy machinery).

The key for ISO 27001 Control 7.8 is to show that office assumptions don’t blindly carry over into harsher environments.

Quick Implementation Checklist for ISO 27001 Control 7.8

Use this to sanity-check your approach to equipment siting and protection:

  • ISO 27001 Control 7.8 (Equipment siting and protection) is covered in your physical security / facilities procedures.
  • Equipment that processes or stores sensitive information is sited deliberately, not just wherever there was a spare socket.
  • Critical equipment is placed where access is restricted and unnecessary approach is minimised.
  • Screens and workstations handling sensitive data are positioned or shielded to prevent shoulder-surfing.
  • Equipment is protected against theft, vandalism, fire, water, dust, chemicals, and interference as appropriate.
  • Environmental conditions (temperature, humidity, etc.) are monitored and alerted on where failure would significantly impact operations.
  • Sensible rules exist for behaviour near equipment (no food/drink, tidy cabling, safe access).
  • Buildings and incoming lines have appropriate lightning and surge protection, where risk justifies it.
  • Equipment in industrial or harsh environments has additional protective measures (enclosures, membranes, ruggedised hardware).
  • Facilities containing your equipment are physically separated from those controlled by other organisations where possible.

Bringing It All Together

ISO 27001 Control 7.8 – Equipment siting and protection – is about making sure your information and systems are not undone by something as simple as “we put the rack in the wrong place”.

If you:

  • Place equipment where it’s hard to casually access or observe,
  • Protect it from realistic physical and environmental threats, and
  • Monitor conditions and behaviour around it,

you’ll greatly improve the resilience of your technical environment – and you’ll be able to demonstrate to an auditor that equipment siting and protection are being handled in a thoughtful, risk-based way, fully aligned with ISO 27001 Control 7.8.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG