We have implemented 27001 in our organisation head office. We own the premise and so can control the environment and all the information security requirements where the premise is concerned. We are now implementing 27001 into a secondary office. Here we use around 10 public buildings, these are free of charge, we have no contract in place and they are not a supplier. How can we implement the controls when it is out of our hands? For example we have no control over the perimeter or their utilities, we have no control who comes into the building etc. Mainly those areas in A11? How do we comply with 27001 in this case?
Answer: Even if they are free of charge, you must consider the establishment of contracts to define the security clauses the responsible for the buildings must implement, since you have no authority to implement them by your own (you have to consider the public entities providing the buildings as your suppliers). The security clause to be included must reflect the results of a risk assessment as if you were managing the buildings yourself (e.g., if your risk assessment identifies the need for controls from section A.11, you must include the requirements of this section in your contracts)
>I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?
Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization.