A.7.13 Equipment Maintenance

What is this control?

ISO 27001 control A.7.13 Equipment Maintenance ensures equipment is maintained correctly to ensure continued availability and integrity of information while preventing loss, damage, or compromise. For infrastructure assets, the control requires scheduled maintenance programmes including quarterly physical inspections and firmware currency reviews. For user endpoints, the control ensures secure repair workflows protecting data through sanitisation before repair via Microsoft Intune and post-repair integrity verification via Windows Autopilot.

How to implement in Microsoft 365

Implement A.7.13 for infrastructure by performing quarterly physical inspections covering fan operation, dust clearance, cable seating, and indicator lights. Maintain firmware within vendor’s supported window and schedule quarterly FortiManager and vendor portal firmware currency reviews. For UPS, perform monthly automatic self-tests and annual battery health assessment.

For user endpoints, before repair wipe the device via Intune or Factory Reset to remove corporate data if the device functions. If the device cannot be wiped due to motherboard failure, rely on BitLocker encryption to render data inaccessible. Require repairs be performed by manufacturer or Authorised Service Providers only.

What an auditor looks for

Auditors will verify device compliance rate report showing 95% or more of managed devices compliant. They will check Autopilot deployment profiles are configured or registered devices are listed. Auditors will review infrastructure maintenance log with quarterly inspection entries covering fan checks, dust clearance, and cable seating.

They will verify FortiManager change log showing firmware update records. Auditors will check UPS maintenance log with monthly self-test results and annual battery assessments. They will review device wipe action history from Intune showing timestamps for devices sent for repair.

Related controls

• A.7.14
• A.8.8
• A.8.1
• A.7.11