left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Inquiry about the following ISO27001 controls

  Quote
Guest
Guest user Created:   May 26, 2022 Last commented:   May 26, 2022

Inquiry about the following ISO27001 controls

Background: No of employees: ~ *** employees Scope for ISO certification (*** sites): Site A: 5 employees, CxO, few tech people, with Physical office shared with *** parent company Site B: ~ 35 employees, Operations (Developers, cybersecurity, Cloud support) , no physical office (***). Working environment: 80% of the time site 1 personnel are working remotely, while site 2 employees are 100% working remotely. Can you please provide some guidelines on the following scenarios? 1.            Physical office security for site 1: Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent). 2.            In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 26, 2022

1. Physical office security for site 1:

Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).

If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.

For further information, see:

2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes

In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 26, 2022

May 26, 2022