Expert Advice Community

Guest

Controls in third party facility

  Quote
Guest
Guest user Created:   Mar 06, 2018 Last commented:   Mar 13, 2018

Controls in third party facility

We have implemented 27001 in our organisation head office. We own the premise and so can control the environment and all the information security requirements where the premise is concerned. We are now implementing 27001 into a secondary office. Here we use around 10 public buildings, these are free of charge, we have no contract in place and they are not a supplier. How can we implement the controls when it is out of our hands? For example we have no control over the perimeter or their utilities, we have no control who comes into the building etc. Mainly those areas in A11? How do we comply with 27001 in this case?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 06, 2018

Answer: Even if they are free of charge, you must consider the establishment of contracts to define the security clauses the responsible for the buildings must implement, since you have no authority to implement them by your own (you have to consider the public entities providing the buildings as your suppliers). The security clause to be included must reflect the results of a risk assessment as if you were managing the buildings yourself (e.g., if your risk assessment identifies the need for controls from section A.11, you must include the requirements of this section in your contracts)

These articles will provide you further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Quote
0 0
Expert
Rhand Leal Mar 13, 2018
We received this question:

>I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?

Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 06, 2018

Mar 13, 2018

Suggested Topics

Guest user Created:   Dec 12, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment

Guest user Created:   Oct 12, 2021 ISO 27001 & 22301
Replies: 3
0 0

Implementing controls