ITIC’s 2024 survey found that 91% of mid-to-large enterprises report hourly downtime costs exceeding $300,000. A significant share of that downtime traces back to something most security teams delegate to facilities: power, cooling, and telecommunications. ISO 27001 Control 7.11 exists because supporting utilities are not someone else’s problem — they are a direct threat to information availability and integrity.
What 7.11 requires
Control 7.11 requires organizations to protect information processing facilities against power failures, telecommunications outages, and other disruptions caused by failures in supporting utilities. The control covers electricity, telecommunications, water supply, gas, sewage, ventilation, and air conditioning.
In practical terms, the control asks you to do five things:
- Identify every utility your information processing facilities depend on. This includes obvious dependencies like electricity and internet connectivity, but also HVAC systems, water supply for cooling, and fire suppression infrastructure. If a utility failure could degrade or interrupt processing, it belongs on the list.
- Implement redundancy proportional to criticality. UPS systems for servers and networking equipment, backup generators for extended outages, dual ISP connections for internet-dependent operations, and N+1 cooling capacity for server rooms. The level of redundancy should match the risk assessment, and not every facility needs the same protection.
- Maintain and test utility equipment to manufacturer specifications. UPS batteries degrade, generators need fuel and exercise cycles, and HVAC filters require replacement. Documented maintenance schedules with recorded outcomes are the baseline expectation.
- Plan for graceful shutdown when backup power is time-limited. UPS runtime is finite. If generators don’t start or fuel runs out, systems need a defined shutdown sequence that preserves data integrity rather than crashing unpredictably.
- Segment and secure network-connected utility equipment. Modern UPS systems, building management systems, and HVAC controllers often connect to IP networks for monitoring. These devices must be segmented from production IT networks and secured against unauthorized access.
The control also expects organizations to deploy monitoring and alerting: environmental sensors for temperature and humidity, power monitoring for load and battery status, and network link monitoring for telecommunications redundancy. The implementation guidance in ISO 27002 provides additional detail on each of these areas.
Why 7.11 matters
A midsized company in peak summer loses its primary HVAC unit serving the server room on a Friday afternoon. Without environmental monitoring, nobody notices until Monday morning when customer-facing systems have been thermally throttling for 60 hours. Database performance has degraded, backup jobs have failed, and two disk drives have died from sustained high temperatures.
This is not an exotic scenario. According to Uptime Institute research, power-related failures account for 45% of significant data center outages, with UPS system failures as the leading subcategory. Cooling failures, telecommunications outages, and water damage account for much of the remainder. These are mundane, preventable failures, not sophisticated attacks.
The primary risk class is availability. Systems go offline or degrade when utilities fail. The secondary risk is integrity. Unclean shutdowns during power loss can corrupt databases, leave transactions in inconsistent states, and damage storage media. Both translate directly into financial loss, customer impact, and regulatory exposure. Organizations without a business continuity plan that accounts for utility failures are particularly vulnerable.
What attackers exploit
Utility infrastructure creates specific attack surfaces that security teams often overlook:
- Network-connected utility systems: Smart UPS units and HVAC controllers with default credentials serve as lateral movement paths into otherwise segmented networks
- Single points of failure: Weaknesses in power or telecommunications give attackers a denial-of-service vector that requires no software exploitation
- Untested backup systems: Equipment that fails on first real demand, turning a minor disruption into a major outage
- Building management systems: Devices exposed to production networks without segmentation or access controls
- Absent environmental monitoring: Gaps that allow slow thermal degradation, humidity creep, or water intrusion to go unnoticed until hardware fails
How to implement 7.11
For your organization (first-party)
Implementation breaks down into eight steps, each producing auditable evidence. If you’re working through the broader standard, the ISO 27001 implementation checklist provides context for where this control fits.
Step 1: Inventory supporting utilities and map dependencies. Document every utility that your information processing facilities rely on. Map each utility to the specific systems and facilities it supports. This inventory becomes your scope document for the rest of the implementation.
Step 2: Conduct a risk assessment for each utility. Identify single points of failure, estimate the impact and likelihood of failure for each utility, and determine acceptable downtime thresholds. A server room with one HVAC unit and no failover has an obvious single point of failure that the risk assessment should capture.
Step 3: Implement redundancy proportional to criticality. UPS systems for all critical computing and networking equipment, backup generators for facilities where UPS runtime alone is insufficient, dual ISP connections for internet-dependent operations, and N+1 cooling where thermal load justifies it. Match investment to the risk assessment. Not every closet needs a generator.
Step 4: Establish maintenance schedules. Follow manufacturer specifications for every piece of utility equipment. Document maintenance activities with dates, outcomes, and technician details. UPS batteries have defined replacement intervals. Generators need regular exercise runs under load. HVAC systems require filter changes and refrigerant checks.
Step 5: Deploy monitoring and alerting. Environmental sensors for temperature and humidity in server rooms, power monitoring for UPS load and battery health, generator fuel levels, and network link status for telecommunications redundancy. Alerts should route to staff who can act on them, not a shared inbox that nobody checks on weekends.
Step 6: Define emergency procedures. Document graceful shutdown sequences for when backup power is exhausted, emergency power-off locations and procedures, escalation contacts for utility failures, and coordination procedures with utility providers. These procedures must be accessible during the emergency itself. A shutdown procedure stored only on a server that’s already off is useless.
Step 7: Test failover regularly. Simulate power cuts to verify UPS and generator failover. Test network failover to secondary ISP connections. Verify HVAC failover where redundancy exists. Record test results with dates, participants, and outcomes. Annual testing is a minimum; quarterly is better for critical facilities.
Step 8: Segment network-connected utility equipment. Place UPS management interfaces, building management systems, HVAC controllers, and environmental monitoring systems on dedicated VLANs, separated from production networks. Apply access controls and monitor traffic between segments.
Common mistakes to avoid:
- Untested UPS systems: Installing a UPS but never testing whether it holds charge under realistic load
- Cloud exemption assumptions: Treating cloud-hosted infrastructure as exempt from this control (telecommunications and power to on-premises network equipment still apply)
- Shared network segments: Running HVAC controllers on the same VLAN as production servers
- Undocumented procedures: Relying on tribal knowledge for shutdown procedures instead of documented, tested processes
- Paper-only contracts: Maintaining contracts that exist on paper but have never been exercised
For your vendors (third-party assessment)
When assessing vendors against 7.11, ask specific questions and request verifiable evidence. A structured vendor risk assessment process helps standardize this evaluation across your supply chain.
Questions to ask:
- Describe your data center power redundancy architecture, including UPS topology and generator capacity
- What is the rated runtime of your UPS systems under current load?
- How frequently do you test generator failover, and can you share recent test results?
- Are utility control systems segmented from production networks?
- What environmental monitoring is deployed in your server rooms?
Evidence to request:
- Data center certification documentation (e.g., Uptime Institute tier rating)
- UPS load test results and generator failover test logs from the past 12 months
- Environmental monitoring dashboard screenshots or reports
- Network architecture diagrams showing utility system segmentation
Red flags:
- The vendor cannot state their UPS runtime under current load
- No generator failover test records exist from the past 12 months
- Utility management systems share a network with customer data
- No environmental monitoring exists in server rooms or data halls
Verification: Request the vendor’s SOC 2 Type II report covering availability criteria. Review their ISO 27001 Statement of Applicability for 7.11 coverage. Ask for the most recent data center audit report. Cross-reference claims against independent certifications where possible. For a deeper dive into this process, see our guide on how to perform a third-party risk assessment.
Audit evidence for 7.11
When an auditor assesses 7.11, they expect to see documented controls at both the policy and operational levels. The table below maps evidence types to specific artifacts you should prepare. For broader guidance on what to expect, see our ISO 27001 audit preparation guide.
| Evidence type | Example artifact |
|---|---|
| Policy | Supporting utilities policy defining utility types, redundancy requirements, maintenance cadence, and emergency procedures |
| Inventory | Utility dependency register mapping each utility to the facilities and systems it supports |
| Maintenance records | Scheduled maintenance logs for UPS, generators, HVAC, and fire suppression with dates and outcomes |
| Test records | Generator failover test results, UPS load test reports, and network failover simulation logs |
| Monitoring evidence | Environmental monitoring dashboard exports showing temperature, humidity, and power alert history |
| Network diagrams | Architecture diagrams showing utility control systems segmented from production networks |
| Emergency procedures | Documented graceful shutdown sequences and emergency contact lists |
| Vendor contracts | Service-level agreements with utility providers and maintenance contractors |
Cross-framework mapping
Control 7.11 maps to several controls across major compliance frameworks. Organizations operating under multiple frameworks can use this mapping to reduce duplicate effort and demonstrate cross-framework coverage from a single set of utility controls. For a broader view of how ISO 27001 compliance maps across standards, see our compliance hub.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | CP-08 (Alternate Telecommunications Services) | Full |
| NIST 800-53 | PE-09 (Power Equipment and Cabling) | Full |
| NIST 800-53 | PE-10 (Emergency Shutoff) | Full |
| NIST 800-53 | PE-11 (Emergency Power) | Full |
| NIST 800-53 | PE-12 (Emergency Lighting) | Full |
| NIST 800-53 | PE-14 (Environmental Controls) | Full |
| NIST 800-53 | PE-15 (Water Damage Protection) | Full |
| SOC 2 | CC6.4 (Physical access and environmental safeguards) | Partial |
| NIST CSF 2.0 | PR.IR-01 (Protective technology: infrastructure resilience) | Partial |
| CIS Controls v8.1 | Control 12 (Network Infrastructure Management) | Partial |
| DORA (EU) | Article 11 (ICT business continuity management) | Partial |
| CPS 230 (APRA) | Operational resilience requirements for critical operations | Partial |
Related ISO 27001 controls
Control 7.11 connects to several other Annex A controls that address physical security, equipment protection, and business continuity.
| Control ID | Control name | Relationship |
|---|---|---|
| 7.1 | Physical security perimeters | Utility rooms require physical access controls |
| 7.2 | Physical entry | Controls who can access utility infrastructure |
| 7.4 | Physical security monitoring | Detecting unauthorized access to utility areas |
| 7.8 | Equipment siting and protection | Placement of equipment to minimize utility failure impact |
| 7.12 | Cabling security | Protecting power and data cables from damage |
| 7.13 | Equipment maintenance | Overlaps with utility equipment maintenance schedules |
| 7.14 | Secure disposal or re-use of equipment | Decommissioning utility-connected devices |
| 8.14 | Redundancy of information processing facilities | Broader redundancy strategy that 7.11 feeds into |
| 5.30 | ICT readiness for business continuity | Utility resilience is a prerequisite for ICT continuity |
Frequently asked questions
What is ISO 27001 7.11?
ISO 27001 Control 7.11 requires organizations to protect information processing facilities from power failures and other disruptions caused by failures in supporting utilities such as electricity, telecommunications, water, and HVAC. In practice, this means implementing UPS systems, backup generators, redundant network connections, and environmental monitoring, then maintaining and testing them regularly.
What happens if 7.11 is not implemented?
Without supporting utility controls, a power outage or cooling failure can corrupt databases, take customer-facing systems offline, and trigger audit nonconformities. Extended outages without graceful shutdown capability can cause permanent data loss and violate availability commitments to customers and regulators.
How do you audit 7.11?
Auditors verify that utility dependencies are documented, redundancy measures match the risk assessment, maintenance and testing records are current, and emergency procedures are accessible. They typically ask to see UPS load test results, generator failover logs, environmental monitoring dashboards, and network diagrams showing utility system segmentation.
How UpGuard helps with supporting utility compliance
Mapping physical controls like 7.11 to your broader compliance posture is where many organizations lose visibility. UpGuard Breach Risk maps your security posture against ISO 27001, SOC 2, NIST CSF, and other frameworks — giving you continuous visibility into compliance gaps across all Annex A controls, including physical and environmental requirements.
- Compliance framework mapping: Covers ISO 27001, SOC 2, NIST 800-53, NIST CSF 2.0, and more
- Continuous monitoring: Tracks your security posture against control requirements
- Gap identification: Highlights where your implementation falls short of framework expectations