ISO 27001 Physical Controls for Remote Teams: Lead Auditor Guide

How do you implement ISO 27001 when you have no offices or your staff work remotely? Do the physical security controls still apply?

I get asked this a lot so let’s explore how you can still certify and how you handle the annex a controls related to physical security.

In this guide, I will show you exactly how to implement ISO 27001 physical security when you have no office and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

What is ISO 27001?
What does ISO 27001 say about physical controls?
It’s all about scope
Document that the physical controls do not apply
Manage the risk
You work partially remotely / shared office space
Step by step guide to ISO 27001 certification with no physical office
ISO 27001 Implementation Strategies for Virtual and Remote-First Businesses
Summary Implementation Steps
ISO 27001 Physical Security Controls When You Have No Office FAQ

What is ISO 27001?

ISO 27001 is a risk based management system for information security that results in a certification called ISO 27001 Certification. This certification is usually requested by clients and customers to give them confidence you are doing the right thing for information security and protecting their data.

What does ISO 27001 say about physical controls?

The standard wants you to identify risks to information security and then to manage those risks. As part of risk management it provides a list of controls that have been known to mitigate risks as best practice. These controls are provided as guidance for you to consider.

A subset of these controls relate to physical security.

The nuance of the standard is that physical security controls relate to what they call data processing facilities, which in basic terms means a physical location that processes data and to you and I that would mean a data centre or a comms room.

It is possible that these controls could apply to offices or physical locations where people do end user computing but more on that in a moment.

The physical controls for you to consider are:

ISO 27001 Annex A Control	Physical Security Requirement	Implementation Objective
Annex A 7.1	Physical security perimeter	Define and use barriers to protect areas that contain information and assets.
Annex A 7.2	Physical entry controls	Ensure only authorized personnel have access to restricted buildings and facilities.
Annex A 7.3	Securing offices, rooms and facilities	Design and apply physical security for all internal workspace locations.
Annex A 7.4	Physical security monitoring	Continuously monitor premises for unauthorized physical access.
Annex A 7.5	Protecting against physical and environmental threats	Mitigate risks from fire, flood, earthquake, and civil unrest.
Annex A 7.6	Working in secure areas	Implement safety and security measures for personnel in sensitive locations.
Annex A 7.7	Clear desk and clear screen	Reduce the risk of unauthorized access to papers and display screens.
Annex A 7.8	Equipment siting and protection	Place and protect equipment to minimize risks from environmental hazards.
Annex A 7.9	Security of assets off-premises	Secure organizational assets that are used outside of the main facility.
Annex A 7.10	Storage media (New)	Manage the full lifecycle of storage media to prevent data leakage.
Annex A 7.11	Supporting Utilities	Protect against power failures and other utility service outages.
Annex A 7.12	Cabling Security	Protect power and telecommunications cabling from interception or damage.
Annex A 7.13	Equipment Maintenance	Maintain equipment correctly to ensure continued availability and integrity.
Annex A 7.14	Secure Disposal or Re-Use of Equipment	Verify that sensitive data is removed before equipment disposal.

It’s all about scope

So the first question you will ask yourself is what is the scope of the ISO 27001 Certification. The scope is what will go on your certificate and what you will be audited on. If you do not have offices then clearly they cannot be in scope and therefore the controls do not apply to you.

I provide more detailed guidance on scope and setting scope in the blog ISO 27001 Determining Scope Of The Information Security Management System – Tutorial

Document that the physical controls do not apply

As stated, controls are provided as guidance and are designed to mitigate risks. Where there is no risk there is no requirement for a control.

The standard wants you to document which controls apply and which controls do not apply to you.

You document this in the ISO 27001 Statement of Applicability (SOA).

In this document you state that the controls do not apply and you put a brief explanation as to why they do not apply.

For physical security controls, where you have no offices and are fully remote, you record the fact that they are ‘out of scope as we are fully remote working with no offices.’

Manage the risk

Recording that the controls do not apply is minimum and sufficient to pass an audit but it is better to also manage the risk. Risk management includes risk acceptance and so it is possible to accept the risk of not having the control.

To to do this, for every control, including physical controls, that do not apply to you they will be added to your risk register.

The lack of control in this context is a risk to you.

It will be risk scored which will clearly generate a low risk score and the risk will be accepted and documented as being accepted.

For these risks, it is also advisable here to record the compensating controls that you have in place. The other controls that you do have that mitigate the risks of remote working and working in public spaces.

These examples are not exhaustive but illustrative and would include, if you have them:

2fa log on
Access via VPN
Paperless office
Encrypted devices
EDM

The benefit of taking this extra step and managing the risk is it demonstrates that you have fully considered both the risks associated with no having a physical location and the risk of not having the provided controls guidance. At certification audit this will demonstrate to the auditor that you are truly managing risk in a risk based management system.

You work partially remotely / shared office space

If you have a situation where you rent a shared office space or a managed office space or a location where you meet from time to time as an organisation face to face then the principles here are likely to still apply, depending on that scope. There is more nuance in this hybrid set up and I will address that in a future blog post.

Step by step guide to ISO 27001 certification with no physical office

Implementing ISO 27001 in a fully remote or “no office” environment requires a shift from physical barriers to robust technical and organisational controls. By following these steps, you can satisfy auditors that your information remains secure even without a traditional data processing facility.

Define and Document the ISMS Scope

Explicitly define the boundaries of your Information Security Management System (ISMS) to reflect your remote-first structure. Since there are no physical offices, your “premises” effectively become the managed endpoints and cloud environments under your control.

Provision a formal Statement of Applicability (SoA) that lists all Annex A 7 physical controls as “Not Applicable”.
Formalise the justification in your SoA by stating that no physical data processing facilities are owned or operated by the organisation.
Update your Risk Register to include the “lack of physical control” as an accepted risk, supported by technical mitigation strategies.

Formalise Remote Working and Device Policies

Establish the rules of engagement for staff accessing sensitive data from uncontrolled environments. This creates the legal and operational framework that replaces the “locked door” of an office.

Deploy a comprehensive Remote Working Policy that mandates the use of secure, encrypted home Wi-Fi (WPA3) and prohibits public Wi-Fi usage.
Enforce “Clear Desk and Clear Screen” protocols for home offices to prevent unauthorised viewing by family members or visitors.
Execute non-disclosure agreements (NDAs) that specifically address the unique risks of working in residential or shared co-working spaces.

Provision Managed Endpoints and Encryption

Since you cannot control the building, you must control the device. Hardening the endpoint ensures that data remains protected regardless of where the hardware is physically located.

Provision managed laptops with Full Disk Encryption (FDE) such as BitLocker or FileVault to mitigate the risk of physical theft.
Mandate Endpoint Detection and Response (EDR) tools to provide real-time monitoring and automated threat blocking.
Revoke administrative privileges on all staff devices to prevent the unauthorised installation of “Shadow IT” or malicious software.

Enforce Identity and Access Management (IAM)

Identity is the new perimeter in a remote-first business. Robust authentication ensures that only verified personnel can access cloud-hosted information assets.

Mandate Multi-Factor Authentication (MFA) across all SaaS platforms and cloud infrastructure without exception.
Implement Role-Based Access Control (RBAC) to ensure staff only have the “Least Privilege” necessary for their specific job functions.
Formalise a Joiners, Movers, and Leavers (JML) process that allows for the immediate remote revocation of all access keys and credentials.

Establish Secure Communication Gateways

Protect data in transit as it moves between remote workers and cloud services. This prevents interception or eavesdropping on insecure local networks.

Deploy a corporate VPN or Zero Trust Network Access (ZTNA) gateway for all connections to sensitive internal resources.
Provision secure file transfer protocols (SFTP) or encrypted cloud sharing links to replace email attachments for sensitive documents.
Execute regular configuration audits of cloud-hosted services to ensure that “Public” access is disabled by default.

Execute Remote Security Awareness Training

The human element is your most critical control. Staff must be trained to recognize threats that specifically target remote workers, such as physical social engineering at their homes.

Conduct targeted phishing simulations that mimic remote-work scenarios (e.g., fake IT support calls or delivery notifications).
Formalise incident reporting procedures so staff know exactly how to report a lost device or a suspected home-network breach.
Verify training completion with time-stamped records to provide auditable evidence of staff competence and security awareness.

ISO 27001 Implementation Strategies for Virtual and Remote-First Businesses

Business Type	ISO 27001 Implementation Approach	Compensating Controls (Examples)
Small Businesses	Focuses on defining a lean scope that acknowledges remote or hybrid work. Physical security controls are typically documented as “Not Applicable” within the Statement of Applicability (SOA) due to the absence of a permanent physical perimeter.	Encrypted devices, Paperless office policy, 2FA (Two-Factor Authentication) on all cloud accounts.
Tech Startups	Prioritizes cloud-native infrastructure. Since there is no server room or on-premise hardware, physical security management pivots to endpoint protection and the secure lifecycle of remote hardware assets.	VPN access, MDM (Mobile Device Management) solutions, Secure remote asset disposal processes.
AI Companies	Addresses the security of data processing facilities through virtualized environments. Compliance focuses on securing the end-user computing devices that access sensitive AI models and datasets.	Secure coding environments, Advanced data encryption (EDM), Identity and Access Management (IAM).

Summary Implementation Steps

Define Scope
Record that the controls do not apply on your SOA
Provide a reason they do not apply
Add the control to the risk register
Document, manage and accept the risk

ISO 27001 Physical Security Controls When You Have No Office FAQ

Do I need physical security controls for ISO 27001 if my team is 100% remote?

Yes, you still need to address physical security, but the application shifts from the office to the remote worker’s environment. While you may mark many traditional controls as “Not Applicable,” you must demonstrate oversight of the following:

Device Security: Ensuring hardware is physically secured at home (e.g., not left in unlocked vehicles).
Visual Privacy: Implementing policies that prevent unauthorised viewing of screens in public or shared spaces.
Asset Return: Having a robust process for retrieving physical hardware when a remote employee leaves the company.

Explain ISO 27001 Annex A 7.1 in the context of a virtual company.

Annex A 7.1 (Physical Security Perimeters) for a virtual company defines the “Perimeter” as the boundary of the managed device rather than a building wall. In a “no office” scenario, the audit focus shifts to:

The Logical Perimeter: Using Zero Trust Network Access (ZTNA) to gate access to cloud resources.
Physical Access to Assets: Restricting who can physically touch company-issued laptops or storage media.
Policy-Based Barriers: Using legal agreements and remote-work policies to define the “secure area” where work is permitted.

How to handle the risk register for remote work physical security.

The risk register must reflect the unique threats of home and public working rather than office-based incidents. You should include entries for:

Theft of Assets: Risk of laptop theft from residential properties or co-working spaces.
Environmental Hazards: Risks such as house fires or floods affecting the availability of key staff hardware.
Unauthorised Access: The risk of family members or visitors accessing sensitive data on an unattended device.

Does ISO 27001 require a physical office for certification?

No, a physical office is not a mandatory requirement for ISO 27001 certification. Organisations can achieve compliance as a fully remote entity by demonstrating that their information security management system (ISMS) effectively protects data regardless of location.

How are audits conducted for companies with no physical location?

ISO 27001 audits for virtual companies are conducted remotely using screen-sharing and digital evidence reviews. The auditor will focus on technical evidence such as configuration logs for VPNs, MFA, and Endpoint protection agents.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.