A single misconfigured HVAC drain line above a server rack can take down an entire production environment overnight. When equipment sits in the wrong place — exposed to water, heat, unauthorized hands, or even line-of-sight from a public corridor — the resulting failures aren’t theoretical. They show up as unplanned downtime, corrupted storage, and audit findings that block ISO 27001 certification.
What 7.8 Requires
ISO/IEC 27001:2022 control 7.8 requires your organization to make deliberate, risk-informed decisions about where every piece of IT equipment lives and how it is protected once it’s there. That means servers, network switches, workstations, printers, and the cabling that connects them all need to be positioned to minimize exposure to environmental hazards — fire, water, dust, extreme temperatures, electromagnetic interference — and to unauthorized physical access.
You need to prevent two categories of harm. The first is environmental: equipment must be shielded from conditions that degrade availability, whether that’s a water pipe running directly above a rack, an unventilated closet that traps heat, or a construction zone that generates particulate contamination. The second is human: screens processing sensitive data can’t face public walkways, server rooms can’t be left unlocked, and cabling can’t be routed through areas where it’s easily intercepted or accidentally severed.
The underlying principle is straightforward. Equipment that’s poorly sited is equipment that’s already compromised in availability terms — you just haven’t experienced the failure event yet. Control 7.8 forces you to address that gap before the auditor or the environment does it for you.
Why 7.8 Matters
Organizations that fail to implement this control often discover the problem through an environmental incident rather than an audit. In a common pattern, a cooling system failure in an unmonitored server closet goes unnoticed for hours, temperatures climb past hardware tolerances, and drives begin failing in sequence. The root cause isn’t the HVAC unit — it’s the decision to place critical infrastructure in a location without environmental monitoring, redundant cooling, or physical access restrictions that would have flagged the problem earlier.
Physical threats remain one of the most overlooked attack surfaces in information security programs. Teams invest heavily in network segmentation and endpoint detection while critical hardware sits in a shared office space where any visitor can observe screen contents, access network ports, or simply trip over a power cable. The risk class here spans both availability and confidentiality — environmental failures destroy equipment and data, while poor siting enables unauthorized observation and tampering.
What attackers exploit
- Equipment in unsecured areas: Servers, switches, or access points placed in public corridors, shared offices, or unlocked utility rooms where anyone can physically interact with them.
- Missing environmental monitoring: No temperature, humidity, or water leak sensors means failures go undetected until hardware damage is irreversible.
- Screens visible from public areas: Monitors facing windows, reception areas, or high-traffic corridors enable shoulder surfing of sensitive data without any technical exploit.
- Unprotected cabling: Network and power cables routed through accessible ceiling tiles, open cable trays, or unmonitored pathways where they can be tapped, cut, or accidentally damaged.
- No separation between internal and third-party equipment: Shared racks or rooms with vendors or co-tenants where physical access boundaries don’t exist.
- Power infrastructure without protection: Missing UPS, surge protection, or lightning arrestors that leave equipment vulnerable to electrical events.
How to Implement 7.8
Implementing this control requires two parallel tracks: securing your own equipment and verifying that your vendors do the same. Both are auditable, and both require documented evidence.
For your organization (first-party)
Start with an inventory of equipment that falls within scope. Every server, network device, workstation, printer, and piece of cabling that processes, stores, or transmits information covered by your ISMS needs a siting assessment.
For each location, conduct a site-specific risk assessment that evaluates environmental hazards (proximity to water sources, fire risks, temperature extremes, dust, electromagnetic interference) and physical access risks (who can reach the equipment, whether sensitive screens are observable, whether cabling is exposed). Document these assessments — they become primary audit evidence.
Implement environmental controls proportionate to the risk. Server rooms and comms closets need fire suppression systems, HVAC with redundancy, water leak detection, and uninterruptible power supplies. Deploy temperature and humidity sensors with automated alerting so that environmental drift triggers a response before hardware fails.
Restrict physical access using locked rooms, badge-controlled entry, and visitor logging. Position screens displaying sensitive information away from windows and public areas, and use privacy filters where repositioning isn’t practical. Protect cabling with conduits or secured cable trays, and keep power and data runs separated to reduce electromagnetic interference.
Establish a review cycle. Siting decisions aren’t permanent — office relocations, facility changes, and new equipment all trigger reassessment. Document your review cadence (annually at minimum) and any changes made as a result.
Common mistakes:
- Placing servers in multi-purpose rooms that lack environmental controls because “it’s just temporary”
- Treating cable management as a tidiness issue rather than a security control
- Completing a siting assessment once and never revisiting it after facility changes
- Forgetting remote offices and branch sites where equipment siting is often ad hoc
- Failing to separate visitor-accessible areas from zones housing critical equipment
For your vendors (third-party assessment)
When your data lives on equipment you don’t physically control, you’re still responsible for managing third-party risk and verifying that siting and protection controls are in place. Your vendor assessment program should address this control explicitly.
Ask these questions in your security questionnaire: “Describe the physical and environmental controls protecting equipment that processes or stores our data.” “What environmental monitoring is in place, and what are the alert and escalation procedures?” “How is physical access to equipment areas restricted and logged?”
Request concrete evidence: a current SOC 2 Type II report with the physical and environmental (PE) controls section, data center certifications from the Uptime Institute or equivalent bodies, and the vendor’s ISO 27001 certificate if they claim compliance. Floor plans showing equipment placement relative to environmental controls are useful but rarely provided — focus on the audit reports instead.
Red flags in vendor responses include: inability to produce environmental monitoring records, shared racks without physical access segregation between tenants, no fire suppression in equipment areas, and the deflection “we use a cloud provider” without specifying which physical controls their provider implements. If a vendor can’t describe their siting controls with specificity, escalate before granting them access to sensitive data.
Verify beyond self-attestation by negotiating right-to-audit clauses in contracts and reviewing independent third-party audit reports. A vendor’s claim of “enterprise-grade physical security” means nothing without evidence to back it.
Audit Evidence for 7.8
When preparing for an ISO 27001 audit, auditors evaluating this control will look for both documented policies and operational evidence that those policies are being followed. The table below maps the evidence types you should have ready.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Physical Security Policy defining equipment siting criteria, environmental protection requirements, and review cadence |
| Risk Assessment | Site-specific risk assessments for each equipment location, covering environmental hazards and physical access threats |
| Floor Plans | Annotated facility diagrams showing equipment placement, restricted zones, environmental control locations, and cable routing |
| Environmental Monitoring | Temperature and humidity monitoring logs with defined alert thresholds and records of triggered incidents |
| Access Logs | Physical access control records for server rooms and equipment areas — badge reader data, visitor sign-in logs, access approval records |
| Maintenance Records | Scheduled inspection and maintenance records for HVAC, UPS, fire suppression, and water leak detection systems |
| Third-Party Certifications | SOC 2 Type II reports or ISO 27001 certificates from colocation and cloud providers, specifically covering PE controls |
| Change Records | Documentation of siting reviews triggered by facility changes, equipment relocations, or environmental incidents |
Cross-Framework Mapping
ISO 27001 control 7.8 maps to multiple controls across other major frameworks, particularly in the NIST SP 800-53 Rev. 5 physical and environmental protection (PE) family. The table below shows the direct equivalents from the official OLIR crosswalk and additional framework mappings where clear relationships exist.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PE-09 (Power Equipment and Cabling) | Full |
| NIST 800-53 | PE-13 (Fire Protection) | Full |
| NIST 800-53 | PE-14 (Environmental Controls) | Full |
| NIST 800-53 | PE-15 (Water Damage Protection) | Full |
| NIST 800-53 | PE-18 (Location of System Components) | Full |
| NIST 800-53 | PE-19 (Information Leakage) | Full |
| NIST 800-53 | PE-23 (Facility Location) | Full |
| SOC 2 | CC6.4 (Physical Access Restrictions) | Partial |
| CIS Controls v8.1 | 1.1, 1.2 (Enterprise Asset Inventory and Control) | Partial |
| NIST CSF 2.0 | PR.AA-02 (Physical Access) | Partial |
| DORA (EU) | Article 11 (ICT-related incident management — physical resilience) | Partial |
| CPS 230 (APRA) | Operational Risk Management — critical infrastructure resilience | Partial |
Organizations mapping across frameworks — including those cross-referencing ISO 27002 implementation guidance — should note that NIST 800-53 provides the most granular coverage, with seven PE controls collectively addressing the full scope of 7.8. SOC 2 and the other frameworks listed address overlapping concerns but typically require additional controls to fully satisfy the ISO 27001 requirement.
Related ISO 27001 Controls
Control 7.8 connects functionally to several other controls across the physical controls domain and beyond. Understanding these relationships helps you implement a coherent physical security program rather than treating each control in isolation.
| Control ID | Control Name | Relationship |
|---|---|---|
| 7.1 | Physical Security Perimeters | Defines the secure zones where equipment should be sited |
| 7.2 | Physical Entry Controls | Restricts who can access areas where equipment is located |
| 7.3 | Securing Offices, Rooms, and Facilities | Broader facility security that enables proper equipment siting |
| 7.4 | Physical Security Monitoring | Detection and alerting that complements siting protections |
| 7.5 | Protecting Against Physical and Environmental Threats | Overlapping environmental controls for fire, water, and natural disasters |
| 7.9 | Security of Assets Off-Premises | Extends siting principles to equipment outside controlled facilities |
| 7.10 | Storage Media | Secure siting applies to media storage locations and handling |
| 7.11 | Supporting Utilities | Power, cooling, and water systems that equipment siting depends on |
| 7.12 | Cabling Security | Directly supports the cable protection requirements within 7.8 |
| 7.14 | Secure Disposal or Reuse of Equipment | End-of-life handling for equipment that was sited under 7.8 |
Frequently Asked Questions
What is ISO 27001 7.8?
ISO 27001 control 7.8 requires organizations to site equipment securely and protect it from environmental threats, physical hazards, and unauthorized access. It covers all IT infrastructure — servers, network devices, workstations, printers, and cabling — and addresses risks ranging from water damage and fire to shoulder surfing and cable tampering. The control is classified as preventive and supports confidentiality, integrity, and availability.
What happens if 7.8 is not implemented?
Without proper equipment siting controls, organizations face environmental damage to hardware (flooding, overheating, fire), unauthorized physical access to sensitive systems, and data exposure through unprotected screens or accessible cabling. These failures result in unplanned downtime, potential data breaches, and audit non-conformities that can block or delay ISO 27001 certification. In multi-tenant or shared facilities, the risk compounds when equipment lacks physical separation from third-party infrastructure.
How do you audit 7.8?
Auditors assess this control through a combination of facility walkthroughs and document review. They physically inspect server rooms, comms closets, and workstation areas to verify that equipment is appropriately sited, environmental controls are functioning, and sensitive screens aren’t visible from public areas. They also review your Physical Security Policy, site-specific risk assessments, environmental monitoring logs, physical access records, and maintenance documentation for fire suppression, HVAC, and UPS systems.
How UpGuard Helps
Verify Your Vendors’ Physical Security Controls
Assessing whether your vendors properly site and protect the equipment handling your data requires continuous visibility into their security posture. UpGuard User Risk helps you monitor vendor security practices, track compliance evidence like SOC 2 reports and ISO 27001 certificates, and identify gaps in physical and environmental controls before they become your problem.