ISO 27001:2022 A 7.11 Supporting utilities

Failure or disruptions of utilities such as electricity, gas, water, or cooling needed for proper and continuous functioning of information processing facilities may result in compromise of information assets or may intercept business continuity. For example, the failure of air conditioning equipment in a data centre may lead to a sudden rise in temperature when the data centre is hit by a heatwave. This may cause servers hosting website and/or customer data to shut down, and thus result in loss of availability of data and disruptions to business operations. Organisations can eliminate risks to the availability and integrity of information assets due to the failure of supporting utilities such as gas, cooling, telecommunications, water, and electricity by putting in place appropriate measures that protect supporting utilities against failures and disruptions such as power outages. Organization must identifying risks to the continuous operations of supporting utilities and implementation of appropriate measures and controls to ensure that availability and integrity of information assets are not affected by failures of these utilities. Your equipment needs to be safeguarded against threats relating to utility failures including power outages from fallen lines or blown transformers or loss of wireless connectivity.These include power outages from fallen lines and blown transformers or loss of wireless connectivity. Most of these incidents will affect the temporary availability of your information systems. Although some threats are genuinely unforeseeable. Consider having a backup plan that involves a generator or dual routing access and power supplies.


Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.


To prevent loss, damage or compromise of information and other associated assets, or interruption to the organization’s operations due to failure and disruption of supporting utilities.

ISO 27002 Implementation Guidance

Organizations depend on utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning) to support their information processing facilities. Therefore, the organization should:
a) ensure equipment supporting the utilities is configured, operated and maintained in accordance with the relevant manufacturer’s specifications;
b) ensure utilities are appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;
c) ensure equipment supporting the utilities is inspected and tested regularly to ensure their proper functioning;
d) if necessary, raise alarms to detect utilities malfunctions;
e) if necessary, ensure utilities have multiple feeds with diverse physical routing;
f) ensure equipment supporting the utilities is on a separate network from the information processing facilities if connected to a network;
g) ensure equipment supporting the utilities is connected to the internet only when needed and only in a secure manner.
Emergency lighting and communications should be provided. Emergency switches and valves to cut off power, water, gas or other utilities should be located near emergency exits or equipment rooms. Emergency contact details should be recorded and available to personnel in the event of an outage

Other information

Additional redundancy for network connectivity can be obtained by means of multiple routes from more than one utility provider.

Organizations should take the necessary steps to help ensure the potential operational impact associated with supporting utility failures is limited.The clear risk associated with not addressing supporting utility controls is the potential unplanned outages that affect business operations. All supporting utilities, such as electricity, natural gas, water supplies, sewage, and heating ventilation and air conditioning (HVAC), should be adequate for the systems, as well as personnel, they are supporting. Supporting utilities also need to be able to support any new infrastructure devices or other new equipment planned for implementation as your organization grows. A suitable electrical supply should be provided that meets power requirements defined by equipment manufacturers. An uninterruptible power supply (UPS) should be implemented to support the orderly shutdown for equipment that supports critical business operations. UPS devices and generators should be regularly checked to ensure they have adequate capacity. Testing of these devices should be performed in accordance with the recommendations of the respective manufacturer or vendor.Emergency lighting should be installed and regularly tested to ensure it is operating correctly in case of a power failure. Emergency lighting should cover all emergency exits and planned evacuation routes within each of your organization’s facilities. Emergency power-off switches should be located near emergency exits in data centers and equipment rooms to facilitate a rapid power down in case of an emergency. These devices should be maintained, prominently marked, and protected from accidental activation.It seems obvious that the equipment must be connected to a power outlet, and in many cases there is a UPS and/or a generator that can provide power if the main energy supplier fails. But, often companies have never tried their alternative energy supply, or do not know the capacity, i.e., the time that the business can work with this alternative energy. Therefore, it is not only important to establish an alternative, but it is also important to define a maintenance plan and define the tasks that will be performed. And, it is highly recommended that you generate a report with results (conclusions, failures, duration of the tests, etc.)

Some of the cause for disruption in Information processing facilities

  1. Cyber crime: Because cyber crime has become the second most common cause of unplanned disruption, security must be addressed at every level. Defending against attacks is only half of the battle. Cyberthreats, including phishing and ransomware attacks, are among the most dangerous causes of disruption. Cyber attackers can exploit the weaknesses within your organization and get access to your sensitive data, exposing vital information and endangering your business.
  2. Human error: Regular and thorough training for staff should be a top priority. To reduce errors and ensure desired outcomes, you may also document method-of-process (MOP) techniques for carrying out complicated activities. Only qualified experts should monitor, maintain and manage the power and infrastructure to minimize downtime.
  3. Weather: Natural catastrophes are unavoidable, but taking preventative precautions before something happens can help you avoid severe damage. Regularly test your disaster recovery plan and backup diesel generators.
  4. Generators: Even though generator failures account for only 6% of faults, they are still essential to check and switch gears regularly. You must make use of N+1 redundancy and perform preventative maintenance.
  5. Insufficient backup power: The most common reason for disruption is power loss. Power outages can happen at any time. Due to this possibility, data centers typically have additional power sources in case their primary one is interrupted. The most commonly used backup power sources are generators and batteries. However, issues arise when operators do not run power failure tests or replace batteries often enough. Without taking the necessary preventative steps, your backup power may not be available when you need it.
  6. Cooling failures: Because Information processing facilities generate an incredible amount of heat, effective cooling solutions are vital to preventing equipment from overheating or suffering from shortened life spans. If your cooling solutions don’t work as intended, it may experience erratic temperatures — it could be freezing one minute and sizzling the next. Failing to implement backup cooling procedures and properly maintain the ones you currently have can cause productivity to take a hit.

After highlighting that supporting utilities such as water supply, electricity, communications, sewage, and air conditioning is vital to the operations carried out in information processing facilities. Organisations should take into account following to comply with the requirements:

  • Organisations should conform to the manufacturer’s instructions when configuring, using, and maintaining the devices used to control the utilities.
  • Utilities should be audited to ensure that they are fit to fulfil business growth objectives and they operate with other utilities without any issue.
  • All equipment supporting the utilities should go through regular inspections and testing so that there is no disruption or failure of their proper functioning.
  • Depending on the level of risk to the information assets and business continuity, an alarm system can be established for malfunctioning equipment supporting the utilities.
  • To minimise the risk, utilities should have multiple feeds with separate physical routing.
  • The network connected to the equipment supporting utilities should be segregated from the network connected to IT facilities.
  • Equipment supporting the utilities should be allowed to connect to the internet only if it is strictly necessary and this connection should be established in a secure manner.
  • Emergency procedures:Organisations should determine an emergency contact person and record his/her contact details. These details should be provided to all personnel in the event a failure or disruption occurs. Emergency switches and valves to halt utilities such as water, gas, and electricity should be placed near the emergency exits.Emergency lighting and communications should be ready to be used in case an emergency arises.
  • Network connectivity:Organisations can consider having additional routes from alternative service providers to increase network connectivity so that failures or disruptions of supporting utilities are prevented.

Leave a Reply