Checklist of ISO/IEC 27001-A.11.2.1 Equipment siting and protection


Information and communication technology (ICT) equipment is the backbone of most businesses, making it imperative to secure and protect it against various physical and environmental threats. 

Organizations must evaluate the risks associated with these threats and implement controls that minimize the risks to ICT equipment. 

ISO/IEC 27001 A.11.2.1 is a standard that outlines the necessary controls to be implemented to minimize the risks of physical and environmental threats to ICT equipment.

Sample Checklist:

  • Water/Flooding: Check if facilities are appropriately sited to minimize flood potential. Also, verify if additional/secondary protection is installed and maintained, such as waterproof membranes, drip trays under air conditioning units, and under-floor water detection with remote alarms.
  • Fire and Smoke: Verify if non-flammable facilities and fittings are installed, including fire alarms, low-smoke cabling, etc.
  • Temperature, Humidity, and Power: Confirm if the temperature and humidity are maintained at acceptable levels, and power supply is stable.
  • Dust: Verify if equipment and air conditioner filters are cleaned regularly and replaced when necessary.
  • Lightning, Static Electricity, and Safety: Ensure that all exposed metalwork is earth bonded to a common safety earth point in line with electrical regulations. Confirm the use of mounted lightning conductors, cable isolators, fuses, and other safety measures.
  • Other: Verify if the organization has measures in place to address other threats such as theft, explosives, vibration, chemical contamination, electrical supply interference, communications interference, electromagnetic radiation, and vandalism/criminal damage.


Organizations must take proactive measures to protect ICT equipment against physical and environmental threats. 

See also  Checklist of ISO/IEC 27001-A.13.2.3 Electronic messaging

The ISO/IEC 27001 A.11.2.1 provides guidelines for organizations to follow in evaluating the risks associated with these threats and implementing controls to minimize them. 

By implementing these controls, organizations can ensure the continuity of their operations and prevent damage to their ICT equipment.

Leave a comment

Your email address will not be published. Required fields are marked *