ISO 27001 Control 7.11: Supporting Utilities

Securing Supporting Utilities for Operational Continuity

Introduction

Supporting utilities play a crucial role in the smooth functioning of an organisation’s information processing facilities. Disruptions caused by utility failures, such as power outages or communication breakdowns, can lead to loss, damage, or compromise of information and other assets, as well as interruptions to organisational operations. Implementing robust measures to secure and maintain supporting utilities is essential for business resilience.

Purpose of Protecting Supporting Utilities

The primary objective of securing supporting utilities is to prevent interruptions, damage, or compromise of information processing facilities and ensure the continued availability and integrity of organisational operations.

Guidelines for Securing Supporting Utilities

1. Equipment Configuration and Maintenance

   • Configure, operate, and maintain utility-supporting equipment according to relevant manufacturer specifications to ensure optimal performance and reliability.

2. Regular Appraisals

   • Regularly appraise utilities to assess their capacity to meet current and future business needs.

   • Evaluate interactions between different utilities to identify potential risks and dependencies.

3. Inspection and Testing

   • Conduct regular inspections and testing of utility-supporting equipment to ensure proper functionality and detect potential issues early.

4. Utility Malfunction Detection

   • Implement alarm systems to detect malfunctions or disruptions in utilities promptly.

5. Redundancy and Diversification

   • Where necessary, provide utilities with multiple feeds that follow diverse physical routing to minimise the risk of a single point of failure.

   • Ensure redundancy in network connectivity by using multiple routes or providers for critical utilities.

6. Network Security for Utility Equipment

   • Connect utility-supporting equipment to the network only when required and ensure secure configurations.

   • Isolate utility-supporting equipment on a separate network from the information processing facilities to minimise security risks.

7. Emergency Preparedness

   • Install emergency lighting and communication systems to maintain visibility and communication during utility outages.

   • Position emergency switches and valves for cutting off utilities (e.g., power, water, gas) near emergency exits or equipment rooms for quick access.

   • Record and make emergency contact details available to personnel for swift resolution of utility issues.

Supporting Measures

• Capacity Planning: Regularly assess and plan for the capacity of supporting utilities to handle organisational growth and increased demands.

• Secure Internet Connectivity: If utility equipment requires internet access, ensure secure configurations to prevent unauthorised access.

• Documentation and Training: Maintain documentation on utility configurations, emergency procedures, and contact details, and provide training to relevant personnel.

Additional Information

• Organisations can enhance redundancy for network connectivity by establishing multiple routes from different utility providers. This reduces the likelihood of a total service disruption.

Key Concepts and Domains

• Control Type: Preventive, Detective

• Security Properties: Integrity, Availability

• Cybersecurity Concepts: Protection, Detection

• Operational Capabilities: Physical Security, Utility Management

Conclusion

Securing supporting utilities is critical for maintaining the integrity and availability of information processing facilities. By implementing robust measures for utility configuration, redundancy, monitoring, and emergency preparedness, organisations can reduce the risks of disruptions and ensure continuity of operations. A proactive approach to utility management safeguards organisational resilience and operational efficiency in the face of unexpected challenges.