Expert Advice Community

Guest

Question about ISO-27001

  Quote
Guest
Guest user Created:   Jul 04, 2022 Last commented:   Jul 04, 2022

Question about ISO-27001

I'm writing to ask about the requirement for a remote-only organization to own an office space in order to become ISO-27001 certified. The question has been partially answered here: https://community.advisera.com/topic/certification-of-remote-companies/ The answer explicitly states that we should ask our CB, which we have done, but since they are not allowed to provide advice beyond what is necessary for the audit (to avoid conflict of interests, I assume), I was wondering if you could provide some additional guidance on this. Namely, whether the location to be audited has to comply with some minimum requirements in terms of size, amenities, equipment and others. 1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable? 2 - How does that compare to a rented room or desk in a co-working space? I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 04, 2022

1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable?

If no actual work happens in this office, it wouldn’t make sense for the auditor, so probably this alternative wouldn’t be acceptable. The address should be related to a local where any activity related to the ISMS scope happens, or where the management responsible for the scope works.

2 - How does that compare to a rented room or desk in a co-working space?

I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte

The same applies. If some business or management activity takes place in the local it may be used as the address for the certification scope, but this shared scenario is more complex to protect than the rented office.

Additionally, please note that the space needs to be rented for the duration of the certification. If you change the location, this will need to be notified to the certification body, and if no activity is performed there, this may represent resources are not properly allocated.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 04, 2022

Jul 04, 2022

Suggested Topics

Guest user Created:   Sep 19, 2022 ISO 27001 & 22301
Replies: 1
0 0

Position Description Question

Guest user Created:   Oct 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS evidence

Guest user Created:   Feb 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Mandatory Documents