Skip to contentCYBERINFO
|

Control 7.13 : Equipment Maintenance

Summary

Equipment should be correctly maintained to ensure its continued availability and integrity. Regular servicing and proactive monitoring prevent unexpected hardware failures that could lead to data loss or business interruption.

Applicability

In-Scope: Mandatory for all physical hardware including servers, firewalls, and storage arrays. It ensures that the availability portion of the security triad is consistently met.

Out-of-Scope: Only reducible for organizations that lease all hardware under a contract where the provider handles 100% of the maintenance and replacement.

Implementation Guidance

Microsoft 365 / Entra ID

  • Health Monitoring: Use Microsoft Intune and Endpoint Analytics to monitor the hardware health, such as battery life and disk status, of all managed laptops and desktops.

  • Warranty Tracking: Maintain a SharePoint List with automated alerts to notify the IT team when hardware warranties or manufacturer service contracts are nearing expiration.

  • Cloud Infrastructure: Review the Microsoft Service Trust Portal to access compliance reports on how Microsoft maintains the physical hardware underlying your Microsoft 365 tenant.

Evidence Checklist

  • Maintenance Schedule: A documented calendar for the regular servicing of all critical hardware assets.

  • Service Records: Invoices or technical logs showing that maintenance was performed in accordance with the established schedule.

  • Fault Logs: A record of hardware failures, the subsequent repairs or replacements performed, and the time taken to restore service.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you ensure that only authorized technicians are permitted to perform maintenance on equipment containing sensitive data?

  • What process is in place to ensure that no sensitive data remains on a hardware component, such as a hard drive, that is being sent off-site for repair?

  • How does the organization identify equipment reaching its end-of-life to ensure replacement before a failure occurs?

  • Are there clear procedures for what to do if a critical piece of equipment fails outside of regular business hours?