Control Definition
The organization must protect cables carrying power, data, or other services that support information processing against interception, interference, and physical damage — from the point external lines enter the building through to the closets and panels where they terminate.
Control Objective
To prevent the compromise of information and the disruption of operations caused by interception of, interference with, or damage to power and telecommunications cabling.
What This Really Means
Most physical security effort goes into rooms — the server room, the office perimeter, the data center cage. A.7.12 is about the paths between the rooms. Cabling is the circulatory system of your infrastructure: every byte and every watt travels a physical route, and that route is only as secure as its most exposed meter. An organization with hardened endpoints and an unlocked wiring closet is wide open at the layer underneath all of its logical controls.
In practice the control asks for a handful of disciplines. Route cables through protected pathways — conduit, trunking, under-floor or overhead trays, locked risers — and keep runs out of public and uncontrolled areas, including the point where carrier circuits enter the building. Separate power cabling from data cabling so electromagnetic interference does not corrupt or degrade transmission. Label cables at both ends so changes and fault diagnosis are not guesswork. And control access to termination points — patch panels, wiring closets, floor distribution frames — with the same seriousness you apply to the server room, because a patch panel is the network.
The classic exposure window is construction. Nobody re-runs cable on a quiet Tuesday; cabling changes cluster around office moves, fit-outs, renovations, and expansions. Contractors pull cable without security oversight, old drops stay live behind reception furniture, and the documentation never catches up with the building. Treat any construction project as a cabling-security event with its own requirements and a decommissioning checklist. In higher-security contexts — payment floors, defense work, sensitive R&D — the control extends further: armored conduit, sealed or alarmed enclosures, fiber for segments where interception matters, and periodic inspection for unauthorized devices and taps.
What auditors treat as the heart of A.7.12 is proportionality plus control of termination points. They do not expect armored conduit in a five-person office. They expect documented cable runs, locked and tidy wiring closets, labeled panels, cabling changes that go through change management, and — in shared buildings — a clear, written answer to where your physical responsibility ends and what compensates beyond it.
Why It Matters
Availability is the everyday risk, and cabling failures rarely announce themselves as such. A run crushed under a pallet, a cable cut during unrelated building work, interference from a power circuit routed alongside data — these surface as intermittent network gremlins that burn weeks of diagnostic effort before anyone inspects the physical layer. An exposed cable run is frequently the cheapest single point of failure in the building: one accident takes a floor or an entire site offline with no redundancy beneath it.
The confidentiality risk is quieter but more serious. A tap on an exposed run or a rogue device patched into an unlocked closet gives an intruder network access that bypasses every firewall, EDR agent, and access control you operate — physical access to traffic at a point nobody monitors. And even absent an attacker, an undocumented, unlabeled cable plant slows every incident response and turns routine changes into outages.
Failure here typically shows up as:
- •Site-wide outages – one cut, crushed, or unplugged exposed run takes a floor or facility offline, with no redundancy at the physical layer
- •Physical taps and rogue devices – exposed cabling and unlocked patch panels hand an intruder network access that no logical control sees
- •Interference faults – power and data cables routed together produce intermittent errors that are notoriously slow and expensive to diagnose
- •Blind changes – unlabeled cables turn every patching job into a gamble, and the wrong lead pulled during maintenance becomes an unplanned outage
- •Renovation leftovers – fit-outs and office moves leave live, undocumented network drops in areas you no longer control
Implementation Guidance
Document the Cable Plant You Already Have
Build or commission as-built documentation: diagrams showing runs, drops, risers, patch panels, and the points where carrier circuits enter the building. Tone-and-trace the legacy runs nobody can explain, disconnect what is dead, and record what is live. Keep the documentation current through change control — an accurate map is the precondition for every other step in this control.
Route Cables Through Protected Pathways
New runs go through conduit, trunking, or under-floor and overhead trays — not stapled along skirting boards or draped through ceiling voids above public corridors. Keep runs inside controlled space wherever possible; where they must cross uncontrolled areas or run between buildings, use armored conduit or buried ducting. Protect the building entry points where external carrier lines terminate.
Separate Power from Data
Run power and telecommunications cabling in separate trays or compartments with adequate spacing, crossing at right angles where they must meet, to prevent electromagnetic interference. Follow recognized structured-cabling standards (ISO/IEC 11801, TIA-568) and local electrical codes for separation distances. Use shielded cable near lift motors, generators, and other interference sources.
Lock Down Termination Points
Wiring closets, risers, floor distribution frames, and patch cabinets get server-room discipline: locked doors or cabinets, a named access list, and entry that is logged or supervised. Clear out the storage-cupboard clutter — anything that brings non-IT staff into the closet erodes the control. Tie closet access into your A.7.2 physical entry arrangements.
Label Both Ends and Control Patching
Adopt a labeling scheme and apply it to both ends of every cable and the corresponding panel ports; colored patch leads by function (user LAN, voice, management, uplinks) cut error rates further. Route all patching and cabling changes through change management, with documentation updated as part of ticket closure. Reconcile patch records against the physical panels on a periodic cycle — quarterly is a common cadence.
Treat Moves and Fit-Outs as Cabling Security Projects
Office moves, renovations, and expansions are when cabling exposure gets created. Write cabling-security requirements into fit-out contracts, supervise contractor work in controlled areas, and close every project with a decommissioning checklist: redundant drops disconnected, ports unpatched, drawings updated, closet access returned to normal. Do not let the as-built documentation lag the building.
Inspect Periodically — and Sweep Where Risk Justifies It
Add cabling to physical security inspections: closets locked and tidy, trunking intact, no unknown devices on panels, labels matching records. In higher-security contexts, add tamper-evident seals, alarmed enclosures, fiber for sensitive segments, and periodic technical inspection for unauthorized taps. Record every inspection — the trail is your audit evidence.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.12:
Documentation
- As-built cabling documentation and network diagrams covering runs, risers, patch panels, and carrier entry points
- Access list and entry records for wiring closets and distribution frames
- Patch and cross-connect records, with reconciliation results against the physical panels
- Change tickets covering recent cabling work, including office-move or fit-out projects
- Completed inspection records covering cable routes and termination points
Interviews
- IT infrastructure or network manager on how cable routes are protected and who may enter wiring closets
- Network engineer on the patching process — how a change is requested, executed, labeled, and documented
- Facilities or project manager for a recent fit-out on contractor supervision and decommissioning of old drops
Observations
- Walk-through of wiring closets — locked, clean, labeled panels, no unauthorized devices or non-IT storage
- Condition of visible cable runs in work areas and corridors — trunking intact, no exposed or improvised runs
- A sample of cables and ports traced against labels and patch documentation to confirm records match reality
Practitioner Insights
The wiring closet is the most reliably forgotten room I see in smaller organizations. The server room gets a lock, a log, and an air conditioner; the comms cupboard on each floor gets mops, archive boxes, and a door that has not been locked since the fit-out. An auditor who opens that door has found physical access to your network that bypasses everything else you built. The fix costs almost nothing: a lock, a short access list, labeled panels, and a photo of each panel every quarter so you can spot anything that changed.
What I probe on A.7.12 is whether cabling ever appeared in the risk assessment at all, because most organizations inherited their cable plant and have never consciously accepted or treated its risks. The pattern that concerns me most is shared buildings: the risers and the basement distribution frame belong to the landlord, your LAN traffic crosses them, and nobody can tell me who else holds a key. Define where your physical responsibility ends, put contractual obligations on the building operator for the rest, and encrypt traffic that crosses segments you cannot physically control — then write that reasoning down, because the auditor will ask for it.
Common Challenges & Solutions
Challenge
The office sits in a multi-tenant building where risers, ceiling voids, and the basement distribution frame are controlled by the landlord, not by you.
Solution
Document the boundary of your physical control and treat everything beyond it as untrusted. Put security obligations on the building operator through the lease or service agreement where you can, and compensate at the logical layer regardless — encrypt traffic crossing shared segments and treat inter-floor links like WAN links. Record the reasoning in your risk assessment so the residual risk is visibly accepted rather than overlooked.
Challenge
Years of undocumented growth mean nobody knows which cables are live, where they run, or what breaks if one is unplugged.
Solution
Run a one-time cable audit: tone-and-trace unknown runs, disconnect and blank dead drops, label as you go, and produce as-built documentation. From that point forward, allow changes only through tickets that include a documentation update. The audit is tedious but bounded; living without it makes every future incident and change slower.
Challenge
Renovations and office moves leave live network drops in areas that are no longer yours, and contractors pull cable with no security oversight.
Solution
Add a cabling-security clause to every fit-out and move contract: protected routing, supervised access to closets, and a formal handover that includes updated drawings. Close each project with a decommissioning checklist — old drops dead, ports unpatched, documentation current. Make the project manager, not IT, the owner of that checklist so it cannot be skipped in the rush to occupy.
Challenge
Patch panels degrade into spaghetti — ad-hoc patching with random leads, no records, and ports nobody dares touch.
Solution
Declare a baseline: tidy the panels once, photograph them, and record the cross-connects. Then enforce ticket-only patching, adopt a lead-color scheme, and reconcile records against the physical panels quarterly — comparing current state to last quarter's photographs takes minutes. Spaghetti is a process failure, not a wiring failure; the reconciliation cadence is what stops it regrowing.
Challenge
Intermittent network faults keep getting blamed on switches and drivers when the real cause is interference from power cabling or poor-quality runs.
Solution
Enforce separation of power and data in trays and risers, cross at right angles where unavoidable, and use shielded cable near motors, generators, and lift equipment. Have new links tested and certified by the installer against the cabling standard you specify, and keep the certification reports. When intermittent faults persist on a segment, re-test the physical link before burning more engineering weeks at the logical layer.
