Although many computing activities are now handled in the cloud by a service provider, the Physical Security of information is still an important part of ISO 27001, the international standard for information security.
The Confidentiality, Integrity and Availability of data can all be impacted by the physical space your team operates from, whether that’s a dedicated facility, shared office space or flexible mobile working.
As part of the ISO 27001 Implementation process you will have risk assessed the threats to your physical environment using controls from Annex A of the standard, and this will have been audited by your chosen Certification Body.
So how does moving office affect your ISO 27001 Certificate?
Scope of your ISO 27001 Certification
Your ISO 27001 Certification is based on your management system’s scope, which includes the activities of your organisation, the technology you use, the number/roles of staff and the locations you operate from.
The certification scope can be limited to particular areas of your organisation. Find out more in our blog: How Much Does ISO 27001 Certification Cost?
The addresses of the locations covered by your ISO Certification will be listed on your certificate. This is confirmation that they have been audited by the Certification Body.
Often, customers use the content of the certificate to ensure that your Information Security Management System (ISMS) adequately covers their information assets that you handle.
Of course when moving offices the address will no longer match the certificate, and the Certification Body will not have had an opportunity to impartially audit the new location.
This doesn’t mean that your new office is any less secure. If you are operating an effective ISMS, the move itself and any threats at the new office will already have been addressed.
Securely Managing your Office Move
Not all office moves are the same. You could be moving to a different room within the same building, which is often the case when using a co-working space, for example.
Alternatively you might be moving to a completely different building where you have much greater control over how the building operates.
Don’t forget that the move itself presents risks that should be managed.
Annex A of the standard provides control A6.1.5 Information Security in Project Management. If you feel your office move meets the criteria of a project then it’s important to produce documentation that demonstrates risks have been managed.
Otherwise, you should still consider the risks from any other changes that could affect your organisation.
Risks to consider might include:
- Physical transport of equipment and assets.
- Installation & change-over of Internet connectivity.
- Screening of contractors and trades.
- Physical security of assets while they remain at the old building.
Physical Security Controls at your New Office
Moving in to a new office presents a unique opportunity to build the information security controls you require from the start.
To determine which controls are needed your should update your risk assessment considering the information assets you store and process.
Annex A provides a whole subsection, A11, dedicated to physical security.
You might also consider:
- An access control system (Cards, Fobs, etc).
- Reception areas.
- Visitor and meeting room management.
- Screening new suppliers or contractors who may service the site.
Certification Body Audit of your New Office
It’s likely that where your address has changed, your certification body will require additional audit time to attend the site and assess relevant controls.
However, if you are moving within the same building, for example in a co-working space, you may be able to agree that this is covered as part of a surveillance or recertification audit.
We would advise contacting your Certification Body to discuss the move before it takes place, to ensure that if any additional audit time is needed it can be booked in advance.
Additional audit time will only focus on the changes to your management system, which will include the risk assessment and physical controls. You will usually receive an audit report as normal, and after this a new certificate will be issued.