Is a Physical Security Audit Still Required for ISO 27001?

The international standard ISO 27001 provides the requirements for an Information Security Management System (ISMS), which covers a broad range of controls including I.T Operations, Human Resources, Supplier Relationships, Compliance and Physical Security.

As organisations adapt in an effort to protect themselves from disruptions, such as those caused by COVID-19, many have implemented more cloud-based systems and moved away from the need to physically process data in a single place of work.  

The need to store or process data at a physical premises may never return for some, but how then do organisations and ISO Certification Bodies address the Physical Security controls in A11 of the standard?

Do you Operate a Physical Premises?

If you operate a physical premises where staff perform their duties, whether it’s an Office, a Warehouse or Other Facility, it’s likely that the A11 Physical Security controls WILL apply to you.

The controls in Annex A of the standard are there to help you manage information security risks, and if you choose to exclude controls that do add benefit to your organisation, it could undermine your entire ISMS.

You will also need a ‘serviceable address’ to register on your ISO Certificate and if that is not an operational site that has been externally audited as part of the Certification Process, it will need to be clearly stated in the scope.

However, some organisations are particularly suited to operating a remote workforce with no reliance on a physical premises, and where this is the case, the controls from A11 can be justifiably excluded, negating the need for an on-site Physical Audit.

More: Can I Achieve ISO 27001 Certification in a Co-Working Space?

Have you Implemented Controls for Remote Workers?

If your organisation does not operate within the secure boundaries of its own premises, it becomes even more important to fully assess the risks presented by staff working remotely, whether from their homes or another place.

Remote worker risks can be significant, particularly when staff are processing personal information, taking customer support calls or handling other data.

The same physical security risks that are present in a workplace can also occur at home.  For example: control of printed information, hand written notes, being over heard or over looked while working on a sensitive issue.

In addition, not only are those risks multiplied many times over as employees each work from a different location, but the organisation’s ability to monitor the effectiveness of security controls is reduced.   

In the absence of a controlled workplace, ISO Certification Auditors may put more emphasis on testing the organisation’s remote working policies, and will seek objective evidence that the erisks are controlled.

Preparing for an ISO 27001 Remote Audit

It will be for your organisation to decide if the benefits of home and flexible working outweigh the risks, but proividing there is a structured and repeatable risk management process in place, it does not necessarily provide a barrier to ISO 27001 Certification.

Find out more about how Assent’s consultants can help you implement ISO 27001 Remotely and how a remote ISO Certification Audit would work.

We’ve also thought about what makes a great remote ISO Consultancy Session.

Our team are ready to help you build an effective ISMS and support you through the ISO Certification Process.

Contact Us!
Robert Clements
Robert Clements
Articles: 290