Excluding physical location from the ISMS scope
Assign topic to the user
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now 
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
Answer: You have look at this question from a different point of view - the scope has to be set in such a way to protect your most sensitive information. Therefore, if you keep such information in your office, or your office is key for accessing such information, then it has to be included in the scope. (The ownership of the office, or the way it is leased has nothing to do with setting the scope.)
Whether your office is appropriate for handling such information, this is a completely different question.
See also: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Hi and thank you for the reply. I apologize for not being more clear. What I really would like to know is whether you need to exclude from your scope parts of your business processes, activities, or sites which you do not directly control and control only through a contract. In my example the site is leased and only the leasing company can implement physical controls. Therefore we do not directly control it other than accepting their controls or adding control language to the contract. So the question is does one include in scope the parts of your key business process, activities, and sites which can affect the CIA of the primary assets you are trying to protect if you can only control them through a contract.
Hope this helps and as always thanks for your help!
Again, you should approach this issue from the point of view of protecting your most sensitive information.
If your sensitive information is located in that office, or if this office is crucial to protect the access to your information, then you should include the office in your scope. The fact that the office is leased doesn't prevent you from either (a) asking the owner to invest in physical controls, or (b) invest in physical controls yourself.
Perhaps this article could help you: Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Comment as guest or Sign in
Oct 03, 2016