We have a small office and rent a room in the middle of our office to one of our primary supliers. They have access to all other areas of the office. Is this problematic for ISO 27001 Certification? In the scope when discussing physical location - do I just exclude that room from the scope and make sure we have an NDA in place with them?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Unless both companies are part of the same group of companies (i.e., they have a common parent company), this supplier needs to be out of the scope, as well as its physical space (then your assumption is correct in excluding its room from your ISMS scope). This kind of exclusion should not create problems at the certification if you implement proper controls to separate the supplier from your company.
However, please note that only an NDA may not be sufficient to provide the required separation (e.g., you may have contracts with customers explicitly defining that only your employees can have access to their information, which is not prevented by an NDA with this supplier).
There are two major activities for you to find out which controls are needed: (1) risk assessment & treatment, and (2) identification of interested parties. When assessing the risks of having a third party in the same physical space, you will identify which controls to use to treat those risks - learn more here: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
According to ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties) you need first identify requirements of relevant interested parties (e.g., customers, suppliers, partners, government, etc.) that can impact information security. Such requirements may include legal and regulatory requirements and contractual obligations. Once you have identified these, you will be able to identify what you need to implement to provide proper separation and the effort necessary to fulfill these requirements (e.g., maybe moving the supplier to another room maybe be cheaper than implementing separation in its current location).
These articles will provide you a further explanation about scope definition and controls selection:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding scope definition and risk management:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Apr 15, 2021