How do you implement ISO 27001 when you have no offices or your staff work remotely? Do the physical security controls still apply?
I get asked this a lot so let’s explore how you can still certify and how you handle the annex a controls related to physical security.
Table of contents
What is ISO 27001?
ISO 27001 is a risk based management system for information security that results in a certification called ISO 27001 Certification. This certification is usually requested by clients and customers to give them confidence you are doing the right thing for information security and protecting their data.
What does ISO 27001 say about physical controls?
The standard wants you to identify risks to information security and then to manage those risks. As part of risk management it provides a list of controls that have been known to mitigate risks as best practice. These controls are provided as guidance for you to consider.
A subset of these controls relate to physical security.
The nuance of the standard is that physical security controls relate to what they call data processing facilities, which in basic terms means a physical location that processes data and to you and I that would mean a data centre or a comms room.
It is possible that these controls could apply to offices or physical locations where people do end user computing but more on that in a moment.
The physical controls for you to consider are:
ISO 27001 Annex A 7.1 Physical security perimeter
ISO 27001 Annex A 7.2 Physical entry controls
ISO 27001 Annex A 7.3 Securing offices, rooms and facilities
ISO 27001 Annex A 7.4 Physical security monitoring
ISO 27001 Annex A 7.5 Protecting against physical and environmental threats
ISO 27001 Annex A 7.6 Working in secure areas
ISO 27001 Annex A 7.7 Clear desk and clear screen
ISO 27001 Annex A 7.8 Equipment siting and protection
ISO 27001 Annex A 7.9 Security of assets off-premises
ISO 27001 Annex A 7.10 Storage media – new
ISO 27001 Annex A 7.11 Supporting Utilities
ISO 27001 Annex A 7.12 Cabling Security
ISO 27001 Annex A 7.13 Equipment Maintenance
ISO 27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment
It’s all about scope
So the first question you will ask yourself is what is the scope of the ISO 27001 Certification. The scope is what will go on your certificate and what you will be audited on. If you do not have offices then clearly they cannot be in scope and therefore the controls do not apply to you.
I provide more detailed guidance on scope and setting scope in the blog ISO 27001 Determining Scope Of The Information Security Management System – Tutorial
Document that the physical controls do not apply
As stated, controls are provided as guidance and are designed to mitigate risks. Where there is no risk there is no requirement for a control.
The standard wants you to document which controls apply and which controls do not apply to you.
You document this in the ISO 27001 Statement of Applicability (SOA).
In this document you state that the controls do not apply and you put a brief explanation as to why they do not apply.
For physical security controls, where you have no offices and are fully remote, you record the fact that they are ‘out of scope as we are fully remote working with no offices.’
Manage the risk
Recording that the controls do not apply is minimum and sufficient to pass an audit but it is better to also manage the risk. Risk management includes risk acceptance and so it is possible to accept the risk of not having the control.
To to do this, for every control, including physical controls, that do not apply to you they will be added to your risk register.
The lack of control in this context is a risk to you.
It will be risk scored which will clearly generate a low risk score and the risk will be accepted and documented as being accepted.
For these risks, it is also advisable here to record the compensating controls that you have in place. The other controls that you do have that mitigate the risks of remote working and working in public spaces.
These examples are not exhaustive but illustrative and would include, if you have them:
- 2fa log on
- Access via VPN
- Paperless office
- Encrypted devices
- EDM
The benefit of taking this extra step and managing the risk is it demonstrates that you have fully considered both the risks associated with no having a physical location and the risk of not having the provided controls guidance. At certification audit this will demonstrate to the auditor that you are truly managing risk in a risk based management system.
You work partially remotely / shared office space
If you have a situation where you rent a shared office space or a managed office space or a location where you meet from time to time as an organisation face to face then the principles here are likely to still apply, depending on that scope. There is more nuance in this hybrid set up and I will address that in a future blog post.
For now we have considered how to implement ISO 27001 when you have no physical locations. Specifically in relation to the physical security controls. The following is a summary of the steps.
Summary Implementation Steps
- Define Scope
- Record that the controls do not apply on your SOA
- Provide a reason they do not apply
- Add the control to the risk register
- Document, manage and accept the risk