Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
physical Preventive Protect High Priority

A.7.8 Equipment Siting and Protection

M365 Admin Path: Microsoft Intune admin center (intune.microsoft.com) > Devices > All devices; Devices > Configuration profiles

Evidence Source: Microsoft Graph - Intune Managed Devices, Device Configuration Profiles, Manual verification

What is A.7.8 Equipment Siting and Protection?

ISO 27001 control A.7.8 Equipment Siting and Protection ensures the organisation sites and protects equipment through physical controls and technical compensating measures to reduce risks from physical and environmental threats, unauthorised access, and damage. The control combines secure zone placement with locked racks, screen positioning to prevent shoulder surfing, hazard avoidance, wireless access point siting for signal containment, and technical hardening via Intune enrollment with remote wipe capability.

How to implement A.7.8 in Microsoft 365

Implement A.7.8 by siting core infrastructure in dedicated, lockable secure zones with environmental protection maintaining 18-27 degrees Celsius and 40-60% humidity with water hazard avoidance. Verify cable management prevents trip hazards and orientation of console ports faces into locked cabinets. Position user endpoint screens away from windows and walkways to prevent shoulder surfing.

Place shared printers in staff-supervised areas and secure public displays with VESA locks. Mount wireless access points centrally at ceiling height for signal containment. Enrol all portable devices in Microsoft Intune to enable remote wipe if equipment is stolen.

What an auditor checks for A.7.8

  • Auditors will verify physical inspection reports showing secure zone siting, environmental controls, and console port orientation.
  • They will check screen positioning verification during office walkthrough confirming screens are not visible from windows or corridors.
  • Auditors will verify printer location confirmation in staff-supervised areas.
  • They will review wireless heatmap or physical inspection confirming central mounting.
  • Auditors will check Intune enrollment report showing managed devices.
  • They will verify device configuration deployment report showing profiles deployed for hardening.

What your auditor expects for A.7.8

  • Control: A.7.8 (Equipment siting and protection) - ISMS Sections 3
  • 5 Related Controls: A.7.6 (Screen lock timeout)
  • A.8.1 (Device compliance)
  • A.8.24 (Encryption) Evidence Tabs: • R1: Managed Devices (remote wipe capability) • R2: Device Configurations (equipment hardening) • M1: Core Infrastructure Siting • M2: User Endpoint Siting • M3: Wireless Access Point Siting • M4: Public Area Equipment
  • [A.7.6 (Working in secure areas - screen lock timeout)](/controls/a-7-6 (working in secure areas - screen lock timeout)/)
  • [A.8.1 (User endpoint devices - device compliance)](/controls/a-8-1 (user endpoint devices - device compliance)/)
  • [A.8.24 (Use of cryptography - BitLocker encryption)](/controls/a-8-24 (use of cryptography - bitlocker encryption)/)
  • [A.7.7 (Clear desk and clear screen - Universal Print)](/controls/a-7-7 (clear desk and clear screen - universal print)/)

See how your organisation scores against A.7.8 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Microsoft Environmental Protection Foundation

Microsoft-managed fire protection, water damage protection, emergency power, and environmental controls