Equipment Siting and Protection - ISO 27001 Annex A Control

ISO 27001 Annex A 7.8

Where equipment sits affects how easy it is to attack or damage.

ISO 27001 Annex A 7.8 - Equipment Siting and Protection

Equipment placement matters more than people often think. A server placed in a public corridor is exposed to anyone who walks past. Workstations facing windows on a busy street give shoulder-surfing opportunities. Critical equipment near plumbing or below known leak points faces avoidable water damage. The control asks the organisation to think about siting deliberately rather than putting equipment wherever happens to be convenient.

Beyond placement, equipment needs ongoing protection. Cabinets and racks for server-room equipment. Locks for laptops in shared spaces. Cables routed and secured to prevent tampering. Environmental controls - temperature, humidity, dust - matched to the equipment's requirements. Each is a small thing, and the cumulative effect makes a real difference to equipment lifespan and security.

The principle extends to operator areas. Workstations should be positioned so screens are not visible to people who should not see them. Reception screens that show internal information should be turned away from visitors. Printers handling sensitive output should be in controlled areas, not in shared corridors. The placement of the workstation is part of how the workstation is secured.

The siting question often gets answered by accident rather than design. Equipment ends up where the cabling is, or where someone happened to find space, rather than where security and operational needs would put it. Reviewing equipment placement during the annual physical security review usually surfaces a few items that have drifted into the wrong places over time.

Practical Compliance Guidance

Equipment siting is described in the IMS1 Manual in section 8.3 on IT equipment and section 8.5 alongside the Physical Security Policy. The asset register records equipment locations.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What does appropriate siting look like for servers?

Servers should typically sit in a dedicated room with controlled access, environmental conditioning (cooling, humidity management), fire protection, raised floor or appropriate cable management, and physical separation from areas with water risks (above sprinkler heads, below plumbing). Where dedicated server rooms are not feasible, lockable racks in a controlled office area provide a reasonable alternative for smaller deployments.

How should we position user workstations?

Workstations should be positioned so screens are not casually visible to unauthorised viewers. This means avoiding placements where screens face windows that look onto public areas, where they face the entrance to the workspace, or where they face areas accessible to visitors. Privacy filters on screens help where positioning options are limited.

What environmental conditions should we maintain?

For most office equipment, normal office conditions are sufficient. Server rooms typically need cooling sized to the equipment load, humidity in the range advised by the equipment manufacturers (often around 40-60 percent relative humidity), and dust control. The exact conditions should follow the equipment specifications and any colocation provider requirements.

Further Resources