However, when operating an Information Security Management System to the Requirements of ISO 27001, a shared office environment needs to be thought through carefully.Here is some guidance that you may find useful:
As with any identified risk, the first step should be to assess it using a defined methodology. This will reveal the extent to which the organisation is exposed to risk and consideration can then be given to applying appropriate controls, which might include the following.
A formal, documented agreement should be created to define the obligations of both parties, in particular the need for confidentiality and non-disclosure of information.
ISMS Awareness & Training
As with employees, 3rd parties should be aware of the information security policy and be given training on how to apply the identified controls.
While this may seem controversial, the applied controls will benefit all parties and therefore there should be little resistance.
The agreements and controls should be monitored to ensure that levels of information security are maintain, and identify any additional training or controls needed to improve the ISMS.
In some cases, elements of the network may be shared by both parties, such as broadband or WIFI, however complete network separation should be maintained.
Consider the use of routers, VLANS, domains and completely separate cabling.
While managing shared workspace is difficult, it isn’t impossible.