The basics
ISO 27001 control A.7.13 Equipment maintenance requires companies to keep equipment properly maintained. This is important to prevent compromising the confidentiality, integrity, and availability of information.
Documentation
ISO 27001 control A.7.13 Equipment maintenance can be documented:
- for smaller and mid-size companies by defining in the Statement of Applicability (SoA) how equipment maintenance is protected (i.e., no separate document is needed)
- for larger companies by writing a Procedure for Equipment Maintenance.
The procedure is not mandatory but is recommended.
Implementation
In order to comply with control A.7.13 Equipment maintenance you might implement the following:
- Technology — the technology to enable equipment maintenance in most cases will be already available in the company. Companies of all sizes will probably be able to plan, monitor, and control equipment maintenance by using the same spreadsheet tables, scheduling systems, or service desk systems adopted to manage their regular maintenance activities.
- Organization/processes — you should set up a process for planning maintenance activities according to manufacturers’ recommendations, considering maintenance performed either inside and outside the premises, as well as testing before restarting using the equipment. You can document those processes through a Procedure for Equipment Maintenance.
- People — make employees aware of why equipment maintenance is needed, and train them on how to properly perform maintenance activities.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.13 Equipment maintenance: if equipment is being properly maintained.
