Equipment degradation doesn’t announce itself with a siren. It shows up as a firewall running firmware two versions behind, a UPS battery that fails under load during a power event, or an HVAC unit that quietly stops maintaining the temperature threshold your server room depends on. By the time the failure becomes visible, it’s already a security incident — data integrity compromised by an ungraceful shutdown, a perimeter control offline because nobody replaced the door controller battery, or an attacker exploiting the exact firmware vulnerability your maintenance schedule should have caught months ago. ISO 27001 control 7.13 exists because equipment maintenance isn’t an IT ops convenience — it’s a security control.
What 7.13 requires
ISO 27001 7.13 requires organizations to maintain equipment correctly to ensure the continued availability, integrity, and confidentiality of information. In practical terms, that means building and following a preventive maintenance schedule aligned to manufacturer specifications for every piece of equipment that supports information processing or protection.
The scope extends well beyond servers and network hardware. Control 7.13 covers uninterruptible power supplies (UPS), backup generators, Heating, Ventilation, and Air Conditioning (HVAC) systems, fire suppression equipment, and physical security infrastructure like access control panels and CCTV systems. If the equipment failing would degrade your ability to protect information, it’s in scope.
ISO 27002 provides detailed implementation guidance for each control, including 7.13. Organizations must maintain records of all maintenance activities — who performed the work, when, what was done, and the outcome. Equipment must be secured during maintenance to prevent unauthorized access or tampering, whether the work happens on-site, off-site, or remotely. Before returning any equipment to service after maintenance, you need to verify its integrity: confirm configurations haven’t changed, validate that security controls are active, and inspect for signs of tampering.
Why 7.13 matters
In a common pattern, an organization’s UPS system passes its annual visual inspection but nobody performs a load test. Months later, a power event hits and the UPS fails under actual load. Servers don’t shut down gracefully — they crash. Disk writes corrupt mid-transaction, encryption processes that depend on orderly shutdown sequences don’t complete, and the backup generator takes over a facility where half the security monitoring infrastructure is now rebooting. For the 45 minutes it takes to restore full operations, door access logs have gaps, CCTV recording is intermittent, and the intrusion detection system (IDS) missed whatever happened during the blackout window.
This isn’t a theoretical exercise. According to the Uptime Institute’s 2025 Annual Outage Analysis, 54% of surveyed organizations reported that their most recent significant outage cost more than $100,000, with power-related failures remaining the leading cause. Equipment maintenance failures don’t just create operational inconvenience — they create windows where availability controls fail, integrity protections lapse, and confidentiality mechanisms are bypassed. The risk class here is physical security failure leading to information compromise.
What makes this particularly dangerous is that maintenance failures compound. A single missed firmware update on a firewall is a risk. A missed firmware update combined with an expired UPS battery and an HVAC system running outside specifications means a single trigger event can cascade into simultaneous failures across multiple security domains.
What attackers exploit
Attackers actively seek the gaps that maintenance failures create:
- Unpatched firmware on network appliances and firewalls. The joint CISA/FBI/NSA advisory (AA24-317A) found that in 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as zero-days, with attackers finding the most success exploiting vulnerabilities within two years of public disclosure. Firmware that sits unpatched past vendor-recommended cycles is an open invitation — expanding the organization’s attack surface with every missed cycle.
- Degraded physical access controls. Door controllers with dead batteries, CCTV cameras with failed storage, and biometric readers running outdated software all create physical entry points that bypass logical security controls.
- UPS and power systems past replacement date. When these fail, forced shutdowns bypass graceful security processes — encryption doesn’t complete, audit logs don’t flush, and monitoring systems go dark.
- Unsupervised third-party maintenance technicians. A technician with physical access to a server rack, network closet, or power distribution unit can install hardware implants, extract data from unencrypted drives, or modify configurations.
- Equipment sent off-site for repair with unencrypted storage media. Hard drives and Solid-State Drives (SSDs) in equipment sent to vendor repair facilities may contain sensitive data that leaves your controlled environment.
- Disabled environmental monitoring. HVAC failure doesn’t just make a server room uncomfortable — thermal shutdown of security-critical systems creates the same cascading failure as a power event.
- Missing maintenance logs. Without records of who touched equipment and when, you lose the ability to detect tampering, reconstruct incident timelines, or demonstrate compliance during audits.
How to implement 7.13
For your organization (first-party)
Effective implementation of 7.13 starts with knowing what you’re maintaining and builds outward into process and verification.
1. Build an equipment register. Identify every asset in scope: servers, networking equipment, storage systems, UPS units, generators, HVAC systems, fire suppression, physical access control panels, CCTV infrastructure, and environmental sensors. For each asset, record the manufacturer, model, serial number, location, warranty status, and the maintenance interval the manufacturer recommends.
2. Create a maintenance schedule. Use manufacturer specifications as the baseline, then adjust for criticality and operating environment. A UPS in a high-humidity facility or a firewall processing above-average traffic volumes may need more frequent maintenance than the manufacturer’s default recommendation. Map preventive maintenance windows to avoid conflicts with business-critical operations.
3. Define authorized maintenance personnel. Maintain a list of internal staff and vetted external contractors authorized to perform maintenance. Require background checks for anyone with unsupervised physical access to critical infrastructure. Review and update this list at least annually.
4. Establish security procedures for maintenance events. Define supervision requirements — which equipment categories require escort during third-party servicing? Specify data protection requirements: drives must be encrypted or removed before equipment leaves premises. Document chain-of-custody processes for off-site repairs, including who authorized the removal, where the equipment went, and who handled it.
5. Implement post-maintenance verification. After any maintenance event, inspect the equipment for signs of tampering. Confirm that configurations match pre-maintenance baselines. Validate that security controls — access lists, firewall rules, encryption settings — are active and unchanged. Run functional tests appropriate to the equipment type.
6. Maintain detailed maintenance logs. Record the date, personnel involved, work performed, parts replaced, and the outcome of post-service verification. These logs serve dual purposes: they’re your audit trail and your tamper detection baseline.
7. Link maintenance to change management. Any maintenance that changes equipment configurations — firmware updates, hardware replacements, network recabling — must follow your change control process. This prevents maintenance from introducing unauthorized changes that bypass your security review.
Tooling support typically includes configuration management databases (CMDBs) or computerized maintenance management systems (CMMS) for scheduling, IT service management (ITSM) platforms for tracking work orders, and patch management systems for firmware and software maintenance. An ISO 27001 implementation checklist can help ensure maintenance program requirements aren’t overlooked during initial setup.
Common mistakes to avoid:
- Treating equipment maintenance as purely an IT operations concern with no security oversight or input
- Excluding supporting infrastructure — UPS, HVAC, fire suppression, physical access systems — from the maintenance scope
- Having no chain-of-custody process for equipment that leaves the premises
- Relying on vendor maintenance contracts without verifying that security requirements are specified in the contract
- Maintaining logs that record dates but not the actual work performed or the identity of the technician
For your vendors (third-party assessment)
When assessing third-party providers against 7.13, you’re evaluating whether their equipment maintenance practices protect the information you’ve entrusted to them. A structured third-party risk assessment provides the framework for this evaluation.
Questions to ask:
- “Describe your preventive maintenance schedule for critical infrastructure, including how schedules align with manufacturer specifications.”
- “How do you secure equipment during third-party servicing? What supervision and chain-of-custody controls are in place?”
- “What is your process for verifying equipment integrity after maintenance, including configuration validation?”
Evidence to request: A documented equipment maintenance policy, sample maintenance logs (redacted as needed), vendor and contractor nondisclosure agreements (NDAs), post-maintenance verification checklists, and proof of a CMMS or ticketing system that tracks maintenance activities. A vendor risk assessment framework helps structure this evidence collection.
Red flags to watch for: No documented maintenance schedule, maintenance performed by unvetted personnel without background checks, no data sanitization process before off-site repair, and inability to produce maintenance records for the past 12 months. Any of these suggests that the vendor treats maintenance as operational housekeeping rather than a security control — which means the information you’ve entrusted to their infrastructure isn’t being protected to the standard ISO 27001 third-party risk requirements demand.
Beyond self-attestation, request evidence from their CMMS or ticketing system, ask for redacted maintenance logs covering the most recent quarter, and consider whether continuous monitoring of the vendor’s external security posture would surface the kinds of degradation that maintenance failures produce.
Audit evidence for 7.13
Preparing for an ISO 27001 audit requires structured evidence. Auditors assessing 7.13 will expect documentation that demonstrates both the existence and consistent execution of your maintenance program.
| Evidence type | Example artifact |
|---|---|
| Equipment maintenance policy | Documented policy defining scope, roles, schedules, and security requirements for all maintenance activities |
| Equipment/asset register | Inventory with maintenance-relevant metadata: manufacturer, model, maintenance interval, warranty status, responsible party |
| Preventive maintenance schedule | Calendar showing planned maintenance windows with actual completion dates tracked against targets |
| Maintenance activity logs | Records with date, technician identity, work description, parts replaced, and post-service verification outcome |
| Third-party contractor agreements | Signed contracts and NDAs specifying security requirements, supervision rules, and data handling obligations |
| Post-maintenance inspection checklists | Completed checklists confirming configuration integrity, security control validation, and tamper inspection |
| Change management records | Change tickets for any maintenance that altered equipment configurations, with approval and review evidence |
| Insurance and warranty compliance records | Documentation demonstrating that maintenance activities meet warranty requirements and insurance conditions |
Cross-framework mapping
Organizations operating under multiple compliance frameworks can map 7.13 to equivalent controls elsewhere. This reduces duplicate effort and helps demonstrate that a single maintenance program satisfies requirements across standards.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | MA-02 (Controlled Maintenance) | Full |
| NIST 800-53 | MA-06 (Timely Maintenance) | Full |
| NIST CSF 2.0 | PR.MA (Maintenance) | Full |
| SOC 2 TSC | CC6.4 (Physical access restrictions including maintenance) | Partial |
| CIS Controls v8.1 | Control 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) | Partial |
| DORA (EU) | Article 11 (ICT systems, protocols and tools — maintenance requirements) | Partial |
NIST 800-53 MA-02 covers the core requirement: scheduling, performing, documenting, and reviewing maintenance records, and is assigned to the Low baseline, meaning it applies to all federal systems regardless of impact level. MA-06 addresses timely maintenance by requiring organizations to obtain maintenance support and spare parts within defined time periods — it applies from the Moderate baseline upward. Together, these two controls fully encompass what ISO 27001 7.13 requires.
The SOC 2 and CIS Controls mappings are partial because they address adjacent concerns — physical access and asset inventory, respectively — rather than maintenance programs specifically. DORA’s Article 11 covers ICT maintenance for financial entities in the EU but is scoped to ICT systems rather than the full physical infrastructure scope of 7.13.
Related ISO 27001 controls
Control 7.13 doesn’t operate in isolation. It connects to controls governing physical access, environmental protection, asset handling, and supplier management.
| Control ID | Control name | Relationship |
|---|---|---|
| 7.1 | Physical security perimeters | Maintenance personnel need authorized access to physically secured areas |
| 7.2 | Physical entry | Visitor and contractor escort and logging requirements apply during maintenance visits |
| 7.5 | Protecting against physical and environmental threats | Environmental controls (HVAC, fire suppression) require maintenance to function |
| 7.8 | Equipment siting and protection | Siting decisions affect maintenance access requirements and security during servicing |
| 7.9 | Security of assets off-premises | Governs equipment sent to external locations for repair or servicing |
| 7.10 | Storage media | Data protection requirements for storage media in equipment undergoing maintenance |
| 7.14 | Secure disposal or re-use of equipment | End-of-life processing follows when maintenance determines equipment cannot be repaired |
| 5.19 | Information security in supplier relationships | Contractor and vendor maintenance agreements must meet supplier security requirements |
| 8.9 | Configuration management | Post-maintenance configuration verification ties directly to configuration baselines |
Frequently asked questions
What is ISO 27001 7.13?
ISO/IEC 27001:2022 control 7.13 is a physical security control requiring organizations to maintain equipment according to manufacturer and supplier specifications to ensure the continued availability, integrity, and confidentiality of information. The control’s scope includes IT infrastructure, power systems (UPS, generators), environmental controls (HVAC, fire suppression), and physical security systems (access control, CCTV). It addresses both preventive maintenance scheduling and the security of equipment during servicing — including requirements for authorized personnel, post-maintenance verification, and maintenance record-keeping.
What happens if 7.13 is not implemented?
Without structured equipment maintenance, organizations face unplanned outages, degraded security controls, and potential data compromise from equipment failures. Expired firmware creates exploitable vulnerabilities that attackers actively target. Failed UPS systems cause ungraceful shutdowns that bypass encryption and audit logging. Unsupervised third-party maintenance can expose sensitive systems to unauthorized physical access. Beyond the direct security impact, the absence of maintenance records creates audit gaps that can result in nonconformities during ISO 27001 certification or surveillance audits.
How do you audit 7.13?
Auditors verify 7.13 by reviewing the equipment maintenance policy, inspecting maintenance schedules against actual completion records, and evaluating security controls for third-party maintenance access. Expect requests for maintenance activity logs, contractor NDAs and background check evidence, post-maintenance inspection checklists, and documentation showing that maintenance schedules align with manufacturer recommendations. Auditors will also look for evidence that maintenance is integrated with change management — any servicing that altered configurations should have a corresponding change record.
How UpGuard helps
Verify your vendors’ equipment maintenance practices at scale
UpGuard Vendor Risk helps you assess whether third-party providers maintain equipment in line with ISO 27001 requirements — without relying solely on self-reported questionnaire responses. Standardized assessment templates cover maintenance practices, patch management cadence, and physical security controls, giving you structured evidence of how vendors manage the infrastructure that processes your data. Continuous monitoring detects when a vendor’s external security posture degrades — the kind of signal that equipment maintenance failures and unpatched firmware inevitably produce.