I'm writing to ask about the requirement for a remote-only organization to own an office space in order to become ISO-27001 certified. The question has been partially answered here: https://community.advisera.com/topic/certification-of-remote-companies/
The answer explicitly states that we should ask our CB, which we have done, but since they are not allowed to provide advice beyond what is necessary for the audit (to avoid conflict of interests, I assume), I was wondering if you could provide some additional guidance on this. Namely, whether the location to be audited has to comply with some minimum requirements in terms of size, amenities, equipment and others.
1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable?
2 - How does that compare to a rented room or desk in a co-working space?
I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte