Annex A 7.8: Equipment Siting Protection

Equipment siting sounds basic until you try to prove it works across offices, data centers, labs, and remote work. Auditors usually fail teams on Annex A 7.8 for one of two reasons: (1) the organization has no clear siting standard beyond a generic physical security policy, or (2) the standard exists but is not wired into how Facilities, IT, and Security execute moves, adds, and changes.

ISO/IEC 27001:2022 treats Annex A controls as a set of implementation expectations that you select and operate based on your risk assessment. For Annex A 7.8, the operational test is straightforward: can you show that you intentionally choose where equipment goes, and that you protect it from predictable physical and environmental threats, including shoulder-surfing, walk-up access, water exposure, heat, dust, and accidental damage? ¹

This page translates the annex a 7.8: equipment siting protection requirement into a runbook a Compliance Officer, CCO, or GRC lead can hand to Physical Security, IT Operations, and Facilities with minimal back-and-forth.

Regulatory text

Control reference: ISO/IEC 27001:2022 Annex A 7.8 (Equipment Siting Protection). ¹

Provided excerpt (summary-level): “ISO/IEC 27001:2022 Annex A control 7.8 implementation expectation (Equipment Siting Protection).” ¹

What the operator must do (practical reading):

• Establish siting requirements for equipment that processes, transmits, or stores information (including end-user devices in controlled spaces).
• Choose locations and physical orientations that reduce unauthorized access and inadvertent disclosure (for example, screens not facing public areas).
• Protect equipment from foreseeable environmental hazards (water, heat, dust, vibration) and accidental damage (traffic patterns, unsecured shelves).
• Make siting decisions repeatable through standards, change controls, and exceptions with documented risk acceptance.

Plain-English interpretation

Put equipment where it is hard to access, hard to see, and hard to damage. Document what “good placement” looks like for your environment, enforce it during installs and moves, and keep proof you checked.

Who it applies to

Entity scope

• Service organizations implementing an ISO/IEC 27001 ISMS, including SaaS providers, managed service providers, and any organization seeking certification. ²

Operational context (where this control shows up)

• Corporate offices: reception areas, open-plan seating, conference rooms, print stations, IT closets.
• Data centers and comms rooms: racks, patch panels, KVMs, consoles, staging benches.
• Hybrid/remote: equipment in co-working spaces, home offices (where you can set minimum requirements and constraints).
• OT/labs/warehouses: workstations near machinery, loading docks, or high-dust/high-vibration zones.

What you actually need to do (step-by-step)

1) Define the “equipment in scope” for siting protection

Make this explicit so audits do not turn into debates.

• Include: servers, network gear, storage arrays, backup appliances, HSMs, badge systems that store logs, end-user endpoints in controlled facilities, printers that store jobs, and any device that displays sensitive data.
• Exclude (with rationale): personal devices not used for company data, or equipment fully managed by a colocation provider where your control is contractual and oversight-based.

Output: Equipment Siting Standard scope statement; in-scope asset categories mapped to owners (IT Ops, Facilities, Physical Security).

2) Publish an Equipment Siting Standard (one page beats ten)

Your standard should read like install criteria, not like a policy. Include:

• Approved locations: locked comms rooms, restricted-access areas, caged racks, supervised front desks (if justified).
• Prohibited placements: unattended public areas, near sinks, under HVAC drip lines, next to exterior windows without controls, high-traffic walkways.
• Orientation rules: screen privacy expectations; placement of consoles so walk-up viewing is minimized.
• Environmental minimums: ventilation clearance, humidity/temperature constraints if you have them internally, cable management expectations to reduce trip/pull risks.
• Tamper resistance: rack locks, locked cabinets, secure mounting for small form-factor devices.
• Temporary staging rules: how long equipment can sit in staging, and what protection is required while staged.

Tip: If you have multiple site types (HQ vs. small office vs. warehouse), define profiles with stricter rules where needed. Keep exceptions possible but controlled.

3) Wire siting checks into your change processes (where controls live or die)

Attach siting protection to workflows people already use:

• Facilities work orders: moves, remodels, office expansions.
• IT service requests: new rack installs, network closet builds, AP placement, printer installations.
• Security reviews: physical access changes, badge reader installs, camera coverage changes.

Minimum checkpoints:

• Pre-install review: proposed location meets the standard.
• Post-install validation: confirm placement matches design (photos or walkthrough sign-off).
• Exception path: document why the standard can’t be met and what compensating controls apply.

4) Handle remote and semi-public spaces with “minimum viable” requirements

You cannot control every remote environment, but you can set enforceable expectations.

• Require privacy measures where sensitive data is visible (privacy screens, positioning guidance).
• Prohibit company equipment from being left unattended in public spaces when logged in.
• Define what “secure storage” means for portable equipment when not in use.

Keep this practical: you want adoption, not a document nobody can follow.

5) Maintain an exceptions register with risk acceptance

Some equipment ends up in imperfect places. That is normal. What auditors want is controlled deviation. Your exception record should include:

• Asset(s) impacted and location
• Reason for exception (business constraint)
• Risk assessment summary and compensating controls (for example, locked cabinet, camera coverage, access logs)
• Approver (asset owner + security/ISMS authority)
• Review trigger (relocation, renovation, periodic review cadence you choose)

6) Run control health checks (prove it still works)

Set a recurring inspection approach appropriate to your footprint:

• Spot-check a sample of sites and equipment types.
• Verify prohibited placements are not present and that locks/cabinets are intact.
• Confirm environmental red flags are addressed (water exposure, blocked vents, ad-hoc power strips where prohibited by your internal standards).

Track findings to closure with owners and due dates. This is how you show “operating effectiveness,” not just design.

Required evidence and artifacts to retain

Keep evidence lightweight but consistent. Auditors want traceability from standard → execution → exceptions → remediation.

Minimum evidence bundle (recommended):

• Equipment Siting Standard (approved, versioned, owned)
• Role/ownership record (who approves sites, who performs checks)
• Change records that show siting review occurred (tickets/work orders)
• Post-install validation evidence (photos, walkthrough checklist, sign-off email captured into your system of record)
• Site/rack/floor plans (as-built diagrams where available)
• Exceptions register with risk acceptance and compensating controls
• Control health check results, findings log, and closure evidence

Retention tip: Store all artifacts in a single control evidence folder with a simple index. Daydream customers often implement a “control card” plus an evidence checklist so nothing gets lost during turnover.

Common exam/audit questions and hangups

Auditors and customer assessors usually probe the same points:

• “Show me your standard. What does ‘good siting’ mean here?”
• “How do you ensure new installs follow it?” (They will ask for recent examples.)
• “What about printers, network closets, and lobby screens?”
• “How do you handle exceptions, and who approves them?”
• “Prove this is recurring, not a one-time project.” ²

Hangups that slow audits:

• No documented scope for which equipment types are covered.
• “Policy-only” language with no install criteria.
• Evidence scattered across Facilities, IT, and Security with no index.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating siting as “Facilities’ problem”	Equipment risk spans IT, Facilities, and Security	Assign a single control owner with RACI across teams
No trigger events	The control runs only during audit season	Attach checks to tickets for moves/adds/changes
No proof of post-install validation	You can’t show the standard was followed	Require photo/checklist sign-off in the work order
Exceptions handled informally	Creates uncontrolled risk and inconsistent approvals	Maintain a formal exceptions register and risk acceptance
Ignoring “visibility” risks	Confidentiality can fail without theft or intrusion	Include screen orientation and public-area rules

Enforcement context and risk implications

No public enforcement cases were provided for this control in the source catalog, so this page does not cite enforcement actions. Practically, Annex A 7.8 failures tend to surface through customer audits, certification audits, and incident postmortems after theft, tampering, or environmental damage. The risk is not theoretical: poor siting can bypass strong logical controls through walk-up access, opportunistic device removal, or accidental disclosure from exposed screens.

Practical 30/60/90-day execution plan

Use phases rather than calendar promises. Move fast, but keep it auditable.

Immediate (stabilize and define)

• Assign a control owner and cross-functional approvers (IT Ops, Facilities, Physical Security).
• Define in-scope equipment categories and location types.
• Draft and approve a one-page Equipment Siting Standard with clear “approved/prohibited” rules.
• Stand up an exceptions register with an approval workflow.

Near-term (wire into operations)

• Add siting review steps to Facilities work orders and IT install tickets.
• Create a post-install validation checklist and require photo evidence for in-scope installs.
• Train the small group that actually places equipment (desktop support, network team, facilities leads).

Ongoing (prove operation and fix drift)

• Run recurring spot checks and log findings to closure.
• Review exceptions during ISMS management review inputs (or your existing risk review forum).
• Update the standard after office moves, major refreshes, or new site types (warehouse, lab, co-working).

Where Daydream fits naturally: If your pain point is repeatability and evidence, Daydream’s control card approach (objective, owner, triggers, steps, evidence bundle, exceptions) helps you operationalize Annex A 7.8 without turning it into a documentation project.

Frequently Asked Questions

Does Annex A 7.8 apply to laptops and monitors on employee desks?

Yes, if those devices process or display sensitive information in your facilities. Treat desk placement and screen visibility as part of siting, then set minimum expectations (positioning, locking, secure storage when unattended).

We use colocation and cloud. Do we still need this control?

Yes, but the implementation shifts. For colocation, your control is siting decisions within your cage/racks plus contractual and oversight controls for the facility; for cloud-only systems, the focus is your offices, endpoints, and any on-prem network gear.

What evidence is strongest for auditors?

A written standard plus ticketed examples that show pre-install review and post-install validation. Photos attached to completed work orders are often the fastest way to prove the control ran.

How do we handle equipment that must be in a semi-public area (kiosk, lobby display)?

Treat it as an exception or a special profile with compensating controls: locked enclosure, restricted ports, tamper detection, camera coverage, and content controls. Document the decision and approval.

Do we need a formal environmental monitoring program to meet 7.8?

Not always. The baseline expectation is that you considered environmental hazards and prevented obvious risks (water exposure, blocked airflow, unsecured placement). If your risk assessment says outages or damage would be severe, add stronger monitoring and controls.

Who should own Annex A 7.8 in practice?

Assign one accountable owner in the ISMS (often Security/IT Risk), but delegate execution to the teams that place equipment (IT Ops/Desktop, Network, Facilities). Auditors want clear accountability and a working handoff.

Footnotes

1. ISO/IEC 27001 overview; ISMS.online Annex A control index

2. ISO/IEC 27001 overview