Question about Annex A and SOA
I am now working on the SOA document and am looking at Annex A chapter 7. We do not have a physical office / building and are working remote. That means that Annex A 7.1 , 7.2 , 7.3, 7.4 and 7.5 are not applicable to us? But are mentioned in a contract with the datacenter instead?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First, you should evaluate the risks related to physical security in remote sites (i.e., where your personnel work), and legal requirements (e.g., laws, regulations, and contracts) your organization must fulfill, to evaluate if stated controls are needed or not.
For example, if your personnel work remotely from coworking spaces, it may be relevant they follow some guidance regarding securing offices, rooms, and facilities (control A.7.3). Additionally, you may have a contract with a customer that requires you to protect the information in remote sites. In most cases, such guidance is defined in Remote Working Policies or is included as clauses in employment contracts.
In case there are no relevant risks or applicable legal requirements, you do not need to implement such controls regarding remote employees.
Regarding outsourced data centers, the same logic applies when defining service agreements with suppliers.
For further information, see:
- How to Use ISO 27001 To Secure Data When Working Remotely https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
Comment as guest or Sign in
Mar 29, 2023