Supporting Utilities

Summary

Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. This includes electricity, water supply, gas, telecommunications, and heating/ventilation systems to ensure continued operational availability.

Applicability

In-Scope: Mandatory for maintaining the availability of on-premises technical infrastructure. It prevents utility failures from causing system crashes, data corruption, or extended business downtime.

Out-of-Scope: Only reducible for organizations that are 100% cloud-based with no physical office infrastructure beyond standard end-user laptops.

Implementation Guidance

Microsoft 365 / Entra ID

• Redundancy: Rely on the Microsoft Azure global infrastructure for core services, as their data centers feature Tier 4 utility redundancy that exceeds standard commercial office capabilities.

• Monitoring: Utilize IoT sensors integrated with Azure Monitor to track the real-time status of Uninterruptible Power Supply (UPS) systems and server room environmental conditions.

• Alerting: Configure Microsoft Teams notifications to immediately alert the technical operations team when a power failure or environmental threshold is breached in the office.

Evidence Checklist

• Utility Risk Assessment: A document identifying critical utilities required for operations and the corresponding backup or redundancy sources.

• Maintenance Logs: Records of regular inspections and tests for UPS batteries, backup generators, and HVAC systems.

• Service Level Agreements (SLAs): Contracts with utility providers or building management specifying uptime guarantees and emergency response requirements.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the maximum duration your UPS can support critical network equipment during a total utility power outage?

• How often are the emergency power systems, such as generators and UPS units, tested under a simulated operational load?

• Is there a single point of failure in your telecommunications infrastructure, such as primary and backup lines entering through the same physical conduit?

• How are physical utility controls, such as circuit breakers and water valves, protected from unauthorized access or accidental interference?