Annex A Controls

A.7.12 and A.7.13 — Cabling and Equipment Maintenance

Alex Fuerst

09 Oct 2025 — 6 min read

Understanding the Critical Junction: Where Security Meets Facilities

I've seen Fortune 500 companies brought to their knees by something as mundane as unlabeled cables. During a ransomware incident at a manufacturing firm, their incident response team spent six hours trying to figure out which network segments to isolate because nobody could identify what connected to what. Meanwhile, encrypted files spread through their production systems like wildfire.

Controls 7.12 (Cabling Security) and 7.13 (Equipment Maintenance) from ISO/IEC 27002:2022 operate in that uncomfortable space where information security meets facilities management. These aren't the glamorous controls that get conference presentations, but they're the foundation that everything else depends on. Get them wrong, and your sophisticated endpoint detection means nothing when an attacker physically taps your network backbone.

After fifteen years of auditing everything from trading floors to medical device manufacturers, I can tell you that these controls consistently reveal fundamental gaps in how organizations think about physical security. Let's examine what actually works in practice.

Control 7.12 — Cabling Security: Beyond Cable Management Theater

The standard requires that cables carrying power, data, or supporting information services be protected from interception, interference, or damage. This sounds straightforward until you start mapping actual cable routes in real facilities.

The Interception Reality Nobody Discusses

Network tapping isn't theoretical. During a penetration test I observed, the red team installed a passive network tap in an unmonitored ceiling space within two minutes. The device—about the size of a USB drive—captured three months of unencrypted internal communications before anyone noticed.

The guidance in Control 7.12(c) specifically addresses this with technical controls for sensitive systems, including armoured conduit, locked termination points, and electromagnetic shielding. But here's what I see organizations consistently miss: they apply these controls inconsistently or not at all to cable runs through "controlled" spaces that aren't actually controlled.

A financial services client had implemented excellent perimeter security but ran fiber backbone cables through a shared building riser accessible by maintenance staff from four other tenant companies. When I asked about access logs for that space, the facilities manager looked genuinely confused. "It's just the cable room," he said. That "just the cable room" carried every transaction their trading desk executed.

Auditor Insight: Document your cable route risk assessment. I look for evidence that someone actually walked the physical paths, identified access points, and made conscious decisions about protection levels based on data sensitivity and threat exposure.

Electromagnetic Interference: The Physics Problem

Control 7.12(b) requires segregating power cables from communications cables to prevent interference. This isn't just about network stability—electromagnetic interference can create side-channel attacks that leak information through power consumption patterns.

I've documented three incidents where network performance problems traced to power cable proximity. In one case, new LED lighting installation created enough interference to corrupt financial transaction data. The organization spent two weeks chasing "software bugs" before someone checked the physical infrastructure.

For implementation, maintain at least 200mm separation between power and data cables, or use properly shielded cabling with grounded conduit. Document your approach and the technical justification—auditors need to see that you made informed engineering decisions, not just followed generic recommendations.

Labeling: The Control That Saves Incidents

Control 7.12(d) requires cables to be labeled with sufficient source and destination details for physical identification. This seems obvious until you're trying to isolate a compromised segment during an active incident.

Your labeling scheme should include:

Consistent naming conventions documented in configuration management
Labels at both ends of every cable run
Color coding for different network segments or security zones
Documentation that survives personnel turnover

I audited a hospital where critical patient monitoring systems shared unlabeled cable runs with guest WiFi. During a compliance review, they couldn't demonstrate network segmentation because they literally couldn't identify which cables carried which traffic. The remediation took eight months and cost more than proper initial implementation would have.

Control 7.13 — Equipment Maintenance: Managing the Insider Access Problem

Equipment maintenance creates a fundamental security paradox: you must grant access to critical systems to people who aren't your employees, often without supervision, sometimes remotely. Control 7.13 addresses this by requiring correct maintenance procedures that preserve confidentiality, integrity, and availability.

The Vendor Access Challenge

Control 7.13(f) requires supervising maintenance personnel carrying out on-site work. In practice, this means someone from your organization with appropriate technical knowledge must be present during maintenance activities. Not the receptionist signing them in—someone who can recognize if the technician is accessing systems or data beyond their scope.

I witnessed a "routine" server maintenance visit where the vendor technician accessed production databases to "verify system performance." The on-site supervisor assumed this was normal and never questioned it. Later investigation revealed the technician had exfiltrated client data for a competitor. The organization's maintenance agreement included confidentiality clauses, but no one was monitoring compliance.

Implementation Tip: Create maintenance supervision checklists that specify exactly what the technician should access, what tools they can use, and what constitutes acceptable work. Train your supervisors to recognize when work exceeds the approved scope.

Remote Maintenance: The Growing Attack Surface

Control 7.13(g) addresses remote maintenance access control—increasingly critical as vendors push remote support capabilities. Organizations consistently underestimate this risk exposure.

Key implementation requirements include:

Multi-factor authentication for all remote maintenance access
Session monitoring and recording
Time-limited access windows aligned with approved maintenance schedules
Network segmentation that isolates maintenance access from production systems
Regular access reviews to remove orphaned accounts

A manufacturing client discovered their HVAC vendor had permanent remote access to building management systems that connected to their production network. The access had been configured three years earlier and never reviewed. When I asked about monitoring, they said, "We trust them—they're our HVAC guys." Trust doesn't scale in information security.

Post-Maintenance Verification

Control 7.13(j) requires inspecting equipment after maintenance to ensure it hasn't been tampered with and functions properly. This verification must happen before returning equipment to operational use.

Your post-maintenance procedures should include:

Physical inspection for unauthorized hardware modifications
Software integrity verification using checksums or digital signatures
Configuration validation against approved baselines
Functional testing to confirm proper operation
Security scanning to detect potential malware or unauthorized software

Cross-Standard Integration

These controls don't exist in isolation. ISO/IEC 27036 (Supplier Relationships) provides additional guidance for managing maintenance contractors and service providers. ISO/IEC 27017 includes specific considerations for cloud infrastructure maintenance that may impact your hybrid environments.

For organizations in regulated industries, ISO/IEC 27018 addresses privacy protection considerations when maintenance activities involve personal data processing. Healthcare organizations should also reference sector-specific standards that may impose additional maintenance security requirements.

What Auditors Look For: Evidence and Documentation

During audits, I examine both the controls themselves and the management thinking behind them. Here's what constitutes compelling evidence:

For Cabling Security:

Physical cable route documentation with risk assessments for each segment
Cable labeling standards with implementation verification records
Evidence of electromagnetic interference testing and mitigation
Access control records for cable rooms and termination points
Regular physical inspection reports for critical cable runs

For Equipment Maintenance:

Maintenance contractor vetting procedures and background check records
Signed confidentiality agreements with specific scope limitations
Maintenance supervision logs showing who monitored what work
Post-maintenance verification checklists with actual results
Remote access logs correlated with approved maintenance windows

I also look for evidence that these procedures actually get followed. Perfect documentation means nothing if maintenance happens without supervision or cables get installed without proper labeling.

Common Implementation Failures

Three patterns account for most failures I observe:

Jurisdictional Gaps: IT assumes facilities handles physical security, facilities assumes IT handles data security. Result: nobody owns cabling security comprehensively.

Vendor Relationship Complacency: Long-term maintenance relationships breed familiarity that undermines security procedures. "We've worked with them for years" becomes justification for bypassing controls.

Documentation That Doesn't Match Reality: Cable diagrams that show what was originally planned, not what actually got installed. Maintenance procedures that describe ideal scenarios, not actual practice.

The solution requires treating these controls as operational security activities, not just compliance checkboxes. Regular validation, practical testing, and management attention make the difference between effective controls and security theater.

Remember: an adversary who gains physical access to your infrastructure can often bypass years of cybersecurity investment. These seemingly mundane controls protect against that reality.

Need guidance tailored to your specific environment? Connect with experienced practitioners at the IX ISO 27001 Info Hub for practical implementation insights, or consider a targeted consultation to ensure your physical security controls align with your actual risk environment.

Need personalized guidance? Reach our team at ix@isegrim-x.com.