However, since gaining this a few months ago we are now looking at expanding and opening up some additional rented office space in another location. I believe this may affect A.11 in the statement of applicability? I am wondering if I need to notify our certification body (if and when it happens) and we may have to update our SOA or if we can wait until our next scheduled surveillance audit in 9 months time?
Answer: This new office will indeed affect your ISMS, and maybe not only controls of section A.11, and the best way to understand its impacts, and what must be adjusted in your SOA, is by performing a risk assessment considering how this new office will be related to the ISMS scope (e.g., this new office will be included in the scope, or it will be considered an new interface). For more information, please see this article:
- How to define the ISMS scope https://advisera.com/27001academy/01academy/knowledgebase/how-to-define-the-isms-scope/
Regarding the certification body, you have to notify them as soon as possible about your intentions, so they can evaluate if changes should be performed in the surveillance audit schedule.