Shared Office Space: An ISO 27001 Approach

For a variety of commercial and operation reasons, office space can be shared between more than one organisation. This is particularly prominent in the tech start up culture, where ideas can be shared.

However, when operating an Information Security Management System to the Requirements of ISO 27001, a shared office environment needs to be thought through carefully.Here is some guidance that you may find useful:

Risk Assessment
As with any identified risk, the first step should be to assess it using a defined methodology. This will reveal the extent to which the organisation is exposed to risk and consideration can then be given to applying appropriate controls, which might include the following.

Contract/Agreement
A formal, documented agreement should be created to define the obligations of both parties, in particular the need for confidentiality and non-disclosure of information.

ISMS Awareness & Training
As with employees, 3rd parties should be aware of the information security policy and be given training on how to apply the identified controls.

While this may seem controversial, the applied controls will benefit all parties and therefore there should be little resistance.

Monitoring
The agreements and controls should be monitored to ensure that levels of information security are maintain, and identify any additional training or controls needed to improve the ISMS.

Network Separation
In some cases, elements of the network may be shared by both parties, such as broadband or WIFI, however complete network separation should be maintained.

Consider the use of routers, VLANS, domains and completely separate cabling.

Summary
While managing shared workspace is difficult, it isn’t impossible.

Contact Assent for help with ISO 27001 or other standards.

entry140113-113938