ISO 27001 Control 7.8: Equipment Siting & Protection

Safeguarding Organisational Assets

Introduction

The secure siting and protection of equipment are vital components of an organisation’s information security framework. By addressing risks from physical and environmental threats, as well as unauthorised access, organisations can ensure the confidentiality, integrity, and availability of their critical assets.

Purpose of Equipment Siting and Protection

The primary objective of equipment siting and protection is to mitigate risks associated with physical and environmental threats, unauthorised access, and damage. Proper placement and safeguards for equipment help maintain operational efficiency and protect sensitive information.

Guidelines for Secure Equipment Siting and Protection

1. Minimising Unnecessary Access

   • Place equipment strategically to limit access into work areas, reducing opportunities for unauthorised personnel to approach sensitive systems.

2. Positioning Sensitive Information Processing Facilities

   • Locate facilities handling sensitive data in areas that minimise the risk of unauthorised viewing during use.

   • Use privacy screens or partitions as needed to shield displays from unintended observers.

3. Protecting Against Physical and Environmental Threats

   • Implement controls to mitigate risks from threats such as:

     • Theft and vandalism

     • Fire, smoke, and explosions

     • Water damage or water supply failures

     • Dust and chemical exposure

     • Electrical interference and surges

     • Communication line disruptions and electromagnetic radiation

   • Ensure that facilities are equipped with fire suppression systems, secure enclosures, and other appropriate safeguards.

4. Environmental Condition Monitoring

   • Continuously monitor environmental factors, such as temperature and humidity, to prevent adverse effects on equipment performance.

   • Use sensors and alerts to identify and address potential issues promptly.

5. Guidelines for Proximity Activities

   • Prohibit or limit activities such as eating, drinking, and smoking near information processing equipment to prevent contamination or damage.

6. Lightning and Power Protection

   • Apply lightning protection systems to all buildings.

   • Fit lightning protection filters to incoming power and communication lines to safeguard against power surges and related damage.

7. Special Protection for Industrial Environments

   • Use specialised protection measures, such as keyboard membranes, to shield equipment from industrial contaminants or extreme conditions.

8. Electromagnetic Emanation Protection

   • Implement measures to reduce the risk of information leakage due to electromagnetic emanation, especially for equipment processing confidential information.

9. Physical Separation of Facilities

   • Physically separate information processing facilities managed by the organisation from those not under its control. This reduces the risk of unauthorised interference and improves accountability.

Key Concepts and Domains

• Control Type: Preventive

• Security Properties: Confidentiality, Integrity, Availability

• Cybersecurity Concepts: Protection

• Operational Capabilities: Physical Security, Asset Management

Conclusion

Effective siting and protection of equipment are critical to an organisation’s ability to manage risks and maintain operational continuity. By implementing these guidelines, organisations can ensure that their equipment is safeguarded against physical, environmental, and unauthorised access threats.

A proactive and structured approach to equipment siting and protection reinforces organisational resilience, supports compliance with security standards, and protects valuable information assets from harm.