Control Definition
Equipment must be positioned securely and protected. Siting decisions have to reduce exposure to environmental hazards — water, heat, dust, vibration, electromagnetic interference — and limit both unauthorized physical access to the equipment and the opportunity for bystanders to observe sensitive information it displays or processes.
Control Objective
To reduce the risks that environmental hazards, unauthorized access, and opportunistic observation pose to equipment and the information it handles.
What This Really Means
Placement is a control. Where a piece of equipment sits determines half of its risk before any configuration is applied: the monitor at reception readable from the visitor queue, the comms cabinet mounted under a water pipe, the network switch in an unlocked storage room shared with cleaning supplies. None of these require an attacker — just bad placement waiting for an ordinary day.
The control asks for deliberate siting decisions across three dimensions. Visual exposure: screens angled away from public sightlines and windows, privacy filters where repositioning is impossible, printers and peripherals out of visitor reach. Environmental exposure: servers and network gear kept away from water sources, heat, dust, and vibration, with temperature and humidity in equipment rooms monitored by sensors whose alerts reach a named owner. Physical access at the equipment level: locked racks and comms cabinets even inside controlled buildings, controlled keys, and sensible rules like no food and drink around processing equipment.
A.7.8 is the equipment-level layer of the physical stack. A.7.1 and A.7.3 secure the building and the room; this control secures the box within the room. A.7.5 assesses site-level threats like flood and fire; this control translates those findings into where each device actually stands. In a small office the entire control might be a lockable rack, one networked sensor, and a privacy filter on the receptionist's monitor — proportionate is the standard's favorite word.
What auditors treat as the heart of it is the walkthrough. They look up: pipes or AC units above the rack? They look from the visitor's chair: what can be read from here? They try the comms cabinet door. And they ask the question that catches most organizations: when a sensor last alerted, who received it and what did they do? Monitoring that feeds an unread inbox is the most common way this control exists without operating.
Why It Matters
Equipment damage and equipment snooping are both quiet risks — they rarely announce themselves, and by the time they surface the damage is done. Water and heat degrade hardware over months before a sudden failure; a read screen or a tampered port leaves no log at all. Siting is the cheapest moment to eliminate whole categories of incident permanently.
When siting and protection are left to chance, organizations face:
- •Water and heat killing quietly – Condensate drips and failing ventilation destroy equipment gradually, then catastrophically, and the outage arrives without warning
- •Shoulder surfing with no forensics – Information read off an exposed screen is a disclosure that generates no alert, no log, and no recovery path
- •Tampering at the edge – Unlocked comms cabinets in corridors are an open invitation for rogue devices, cable taps, or simple sabotage
- •Cumulative environmental stress – Heat and dust shorten hardware life and produce intermittent faults that teams burn weeks blaming on software
- •Unwitnessed loss – Equipment sited in uncontrolled spaces disappears or is interfered with, and the investigation has nothing to work from
The pattern auditors and incident reviews keep finding is concentration on the server room and blindness everywhere else. The room with the biggest air conditioner is usually fine; the floor-distribution cabinet in the stairwell is usually the finding.
Regional Compliance Context
Climate makes this control concrete in South Asia and the Gulf. In India, high ambient heat, heavy dust load, and monsoon humidity mean ventilation clearances, filter maintenance, and keeping racks away from external walls and damp zones are material decisions, not checkbox items — and frequent power fluctuation argues for siting critical equipment on UPS-protected circuits, which ties directly into A.7.11. In the Gulf, sustained extreme heat and fine sandstorm dust push the same way: position equipment away from dust ingress paths and direct sun-load walls, and treat cooling-dependent rooms as single points of failure in summer months.
Implementation Guidance
Map Equipment to Locations
Extend the asset register or CMDB with a location field and walk the site to verify it reflects reality. Flag anything sited in public, shared, or uncontrolled spaces — corridor cabinets, reception equipment, gear in third-party premises. This map is the working paper for every other step and a document auditors respond well to.
Define Siting Standards
Write a short standard that codifies the rules: racks and comms cabinets locked, no equipment beneath water pipes or AC drip lines, ventilation clearances maintained, no screens facing public areas, food and drink kept away from processing equipment. Include an approved-locations rule for new installations so the standard applies at deployment time, not retroactively.
Address Visual Exposure
Audit sightlines from every position a visitor can occupy — reception seating, corridors, ground-floor windows. Reposition screens where possible, fit privacy filters where it is not, and pair placement with the auto-lock discipline from A.7.7. Front-desk and service-counter screens deserve specific attention: minimize the data displayed and angle them hard away from the queue.
Harden Equipment Rooms and Cabinets
Lock racks and comms cabinets, control the keys through an issuance log, and break the habit of cabinets doubling as storage cupboards. Floor-distribution and corridor cabinets matter as much as the main equipment room — they carry the same network with a fraction of the protection. Use tamper-evident seals where the sensitivity warrants, and label for operations without advertising criticality to passers-by.
Control the Environment
Install temperature and humidity sensors in server and comms rooms with documented alert thresholds and a named responder — and test the alert path, because sensors wired to a dead mailbox are the classic silent failure. Keep air conditioning on a maintenance schedule, manage dust with filtration and cleaning regimes, and re-check conditions seasonally rather than assuming year-round stability.
Separate Hazards from Equipment
Map water sources, kitchens, and combustible storage against equipment locations and create distance where the map shows conflicts. Keep storage of paper, packaging, and cleaning chemicals out of equipment rooms entirely. Consider vibration — generators, compressors, nearby construction — when placing sensitive hardware, and revisit the hazard map whenever building services change.
Re-Check After Every Move or Fit-Out
Office re-stacks silently break good siting: sightlines change, desks migrate under pipes, cabinets inherit new neighbors. Add a siting review to the change and move checklist with a named sign-off before the new layout goes live, and put the equipment walkthrough on the internal audit route so drift is caught within a cycle.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.8:
Documentation
- Equipment siting standard, standalone or as a section of the physical security policy
- Asset register or CMDB extract showing equipment locations, verified against the floor
- Environmental monitoring logs with alert records and the responses they triggered
- Air conditioning and environmental system maintenance records for equipment rooms
- Rack and cabinet key control log showing who holds access to equipment enclosures
Interviews
- IT or infrastructure owner about how siting decisions are made and what happens when a sensor alerts
- Facilities staff about hazard awareness, cabinet key custody, and maintenance schedules
- Front-desk or reception staff about screen exposure rules and what visitors can see from where they sit
Observations
- Walkthrough of sightlines — what is readable from visitor seating, corridors, and windows
- Racks and comms cabinets tested for locks, with a look above and around for pipes, heat, and stored clutter
- Sensors present in equipment rooms, with a live demonstration of where their alerts are delivered
Practitioner Insights
The forgotten-cabinet pattern is near universal. Organizations polish the main server room — suppression, sensors, badge access — and forget the floor-distribution cabinets: unlocked, sitting in stairwells, sharing space with mops and cartons, carrying the same network as the room everyone protects. An experienced auditor finds these in the first walkthrough because we deliberately follow the cabling, not the tour route. Inventory every enclosure that holds powered equipment, not just the room with the biggest air conditioner, and apply the lock-and-key discipline uniformly.
For smaller organizations this is genuinely one of the cheapest controls in Annex A: a lockable wall-mount rack, an inexpensive networked temperature sensor that emails alerts, and a privacy filter on the receptionist's monitor cover most of it. The evidence mistake I keep finding is the sensor that works perfectly while its alerts go to an ex-employee's inbox — the hardware passed the walkthrough, the control failed anyway. Put a quarterly check of the alert path on the calendar; it takes five minutes and it is the difference between monitoring and decoration.
Common Challenges & Solutions
Challenge
In a serviced or shared office, the organization has no say over building infrastructure or where facilities are placed.
Solution
Control the layer you own: a lockable cabinet for your equipment, screen placement within your suite, and privacy filters where sightlines cross shared space. Put provider obligations — secured comms rooms, environmental maintenance — into the service contract, and lean harder on compensating controls like full-disk encryption and endpoint hardening for whatever sits beyond your reach.
Challenge
Comms cabinets have quietly become storage cupboards full of boxes, decorations, and cleaning supplies.
Solution
Clear them in one pass, lock them, and log the keys to named holders. Solve the storage demand separately so the vacuum does not refill — the clutter came from somewhere. Then add a cabinet check to an existing patrol or the periodic facilities walkthrough so the state is verified a few times a year rather than rediscovered at audit.
Challenge
Small equipment rooms have no environmental monitoring because a building management system feels like overkill.
Solution
Skip the BMS — low-cost networked sensors for temperature, humidity, and leaks deliver email or chat alerts for very little money. Document the thresholds, name the responder, and test the alert path quarterly. Even where monitoring is automated, a brief monthly review note gives the auditor evidence that a human is in the loop.
Challenge
Reception and service-desk screens cannot be moved and inherently face the public.
Solution
Layer mitigations where relocation is impossible: privacy filters, a shortened auto-lock for those specific machines, applications configured to mask or minimize displayed data, and monitor arms that allow a harder angle away from the queue. Keep visitor seating positioned so the natural sightline misses the screen — furniture placement is a free control.
Challenge
Office moves and re-stacks keep breaking siting decisions that were correct when first made.
Solution
Make siting review a mandatory line in the move and change checklist, with a named owner signing off before the new layout goes live. Re-walk sightlines and hazard adjacency after every re-stack, and let internal audit walk the equipment route annually so anything missed is caught within a cycle rather than at certification.
