richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.13-Equipment-maintenance.md

2.6 KiB
Raw Blame History

7.13 Equipment maintenance

| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |

|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------------|

| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection #Resilience |

Control

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

Purpose

To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organizations operations caused by lack of maintenance.

Guidance

The following guidelines for equipment maintenance should be considered:

a) maintaining equipment in accordance with the suppliers recommended service frequency and specifications;

b) implementing and monitoring of a maintenance programme by the organization;

c) only authorized maintenance personnel carrying out repairs and maintenance on equipment;

d) keeping records of all suspected or actual faults, and of all preventive and corrective maintenance;

e) implementing appropriate controls when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization; subjecting the maintenance personnel to a suitable confidentiality agreement;

f) supervising maintenance personnel when carrying out maintenance on site;

g) authorizing and controlling access for remote maintenance;

h) applying security measures for assets off-premises (see 7.9) if equipment containing information is taken off premises for maintenance;

i) complying with all maintenance requirements imposed by insurance;

j) before putting equipment back into operation after maintenance, inspecting it to ensure that the equipment has not been tampered with and is functioning properly;

k) applying measures for secure disposal or re-use of equipment (see 7.14) if it is determined that equipment is to be disposed of.

Other information

Equipment includes technical components of information processing facilities, uninterruptible power supply (UPS) and batteries, power generators, power alternators and converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and lifts.