The basics
ISO 27001 control A.7.11 Supporting utilities requires companies to protect facilities against failures due to lack of power, water, or other utilities need for information processing or storage. This is important to prevent temporary unavailability or permanent loss of information.
Documentation
ISO 27001 control A.7.11 Supporting utilities can be documented:
- for smaller companies by defining in the Statement of Applicability (SoA) how supporting facilities are protected (i.e., no separate document is needed)
- for mid-sized and larger companies by writing a Procedure for Supporting Utilities.
The procedure is not mandatory but is recommended.
Implementation
In order to comply with control A.7.11 Supporting utilities you might implement the following:
- Technology — the technology for supporting utilities or facilities could include software (e.g., commanding and monitoring systems), hardware (e.g., sensors, alarms, and valves), or networks. Companies of all sizes need to plan the security of their supporting utilities based on risk assessment and the sensitivity of the information stored and/or processed they support.
- Organization/processes — you should set up a process for ensuring that supporting utilities are properly configured, monitored, and tested, so their capacity can meet business needs, and proper redundancies are available considering risks of failure. You can document those processes through a Procedure for Supporting Utilities.
- People — make employees aware of why protecting supporting utilities is needed, and train them on how to identify and report events that can affect them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.11 Supporting utilities: if facilities needed for information processing or storage are protected against failures.
