Hi Dejan, I wondered if you might be able to answer a query on IS27001 in conjunction with the IR35 legislation that is a hot topic for contractors at the moment. I have concerns that imposing ISO27001 training and asking contractors to adhere to our rules (using a company-controlled laptop rather than their business laptop for example) will go towards the contractors looking like a "disguised employee". Have you come across this issue before?
I’m assuming you are referring to the UK legislation to combat tax avoidance by workers, and the firms hiring them.
We are not legal experts, so you should seek local expert advice for a more definitive answer, but provided the contractors only need to follow rules related to information security applicable to all contractors (either they are a personal services company or not), and do not need to follow other rules applied to your own employees (e.g., defined working hours), you may be able to classify them as not employees.
Some conditions you should consider to evaluate IR35 applicability are:
Control: what degree of control does the client have over what, how, when, and where the worker completes the work (the less control the client has the less applicable is IR35)
Substitution: is personal service by the worker required, or can the worker send a substitute in their place? (in case substitution is possible less applicable is IR35)