Expert Advice Community

Guest

Question about Annex A and SOA

  Quote
Guest
Guest user Created:   Mar 29, 2023 Last commented:   Mar 29, 2023

Question about Annex A and SOA

I am now working on the SOA document and am looking at Annex A chapter 7. We do not have a physical office / building and are working remote. That means that Annex A 7.1 , 7.2 , 7.3, 7.4 and 7.5 are not applicable to us?  But are mentioned in a contract with the datacenter instead?

0 0

Assign topic to the user

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

Expert
Rhand Leal Mar 29, 2023

First, you should evaluate the risks related to physical security in remote sites (i.e., where your personnel work), and legal requirements (e.g., laws, regulations, and contracts) your organization must fulfill, to evaluate if stated controls are needed or not.

For example, if your personnel work remotely from coworking spaces, it may be relevant they follow some guidance regarding securing offices, rooms, and facilities (control A.7.3). Additionally, you may have a contract with a customer that requires you to protect the information in remote sites. In most cases, such guidance is defined in Remote Working Policies or is included as clauses in employment contracts.

In case there are no relevant risks or applicable legal requirements, you do not need to implement such controls regarding remote employees.

Regarding outsourced data centers, the same logic applies when defining service agreements with suppliers.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 29, 2023

Mar 29, 2023