A.7.13 ISO 27001

ISO 27001 A.7.13: Equipment maintenance

What This Control Requires

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

In Plain Language

Equipment that is not maintained will eventually fail, and it always fails at the worst possible time. A UPS with batteries that have not been tested in two years, a server with failing fans that nobody noticed, a firewall that has not been patched since installation - these are the kinds of maintenance gaps that lead to outages and security incidents.

This control covers both preventive maintenance (scheduled work to stop things breaking) and corrective maintenance (fixing things after they break). But it also addresses the security side: who gets access to your equipment during maintenance, what happens to sensitive data on equipment sent for repair, and whether security configurations are intact after the work is done.

That last point catches a lot of organisations out. A vendor engineer fixes a server, resets something to a default configuration in the process, and nobody checks before putting it back into production. Auditors will look for post-maintenance verification as part of your process.

How to Implement

Set up a preventive maintenance programme for all information processing equipment. Define schedules based on manufacturer recommendations, how critical the equipment is, and operating conditions. Servers, network gear, UPS systems, and cooling equipment need more frequent attention than desktop hardware.

Build security into your maintenance procedures. Before any maintenance: verify the identity and authorisation of the person doing the work, especially third-party contractors. Escort them in secure areas if they do not hold appropriate clearance. Back up data on the equipment before maintenance that might affect storage or configurations. Remove sensitive data from any equipment going off-site for repair.

During maintenance: supervise work on critical equipment. Log everything - who did the work, what was done, parts replaced, configuration changes made. Make sure the maintenance does not introduce security problems like default passwords, unauthorised software, or exposed management interfaces.

After maintenance: verify the equipment works correctly. Confirm security configurations are intact or have been restored. Check that patches and updates are still in place. Test any security controls that might have been affected. Update the asset register with changes like replaced components or firmware updates.

For equipment sent off-site: remove or encrypt storage media containing sensitive data before shipping. Get confidentiality agreements from the maintenance provider. Track the equipment throughout the process. When it comes back, check for unauthorised modifications and re-verify security configurations before returning it to production.

Keep detailed maintenance records. Document every activity, parts replacement, and provider involved. Use the records to spot recurring issues, plan future maintenance, and make informed decisions about when to replace rather than repair.

Evidence Your Auditor Will Request

Preventive maintenance schedules for critical equipment
Maintenance records showing completed activities and findings
Procedures for securing equipment during and after maintenance
Confidentiality agreements with third-party maintenance providers
Post-maintenance verification records for critical equipment

Common Mistakes

No preventive maintenance schedule resulting in reactive-only maintenance
Third-party maintenance personnel are not supervised in secure areas
Equipment sent for repair contains sensitive data without protection
Security configurations are not verified after maintenance
Maintenance records are incomplete or not maintained

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	A1.1	Partial overlap
NIS2	Art.21(2)(c)	Partial overlap

Frequently Asked Questions

How do we handle equipment with sensitive data that needs repair?

Try to repair on-site first without sending it anywhere. If it has to go off-site, remove the storage media before shipping whenever the fault is not storage-related. If the storage itself is the problem, encrypt the data before sending or use a maintenance provider with proper security certifications and an NDA in place. For equipment holding highly sensitive data, sometimes it is simpler and safer to replace the unit entirely and securely destroy the failed one rather than risk data exposure during repair.

Should we maintain equipment ourselves or use third-party providers?

It depends on the equipment and your in-house capability. Critical infrastructure like core network gear and SAN arrays often benefits from manufacturer service contracts with guaranteed response times - you do not want to be troubleshooting a failed storage controller at 2am without vendor support. For routine maintenance on standard servers and desktops, trained in-house staff can handle it. Check warranty terms too - some manufacturers void warranties if unauthorised people open the equipment. Whatever you choose, make sure the people doing the work are competent, authorised, and supervised when they are in secure areas.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment