Physical Security and Remote Assessments: Implications Beyond the Coronavirus

Roughly a year has passed since the coronavirus has changed the world and how many of us approach work.  With work from home becoming the norm for the Schellman team and a majority of our clients, we quickly adapted to shifting our ISO certification efforts to a remote audit setting.  While we reminisce the highlights of the past, we do our best to look forward to what the future of work may hold.

While a majority of our certification efforts have transitioned smoothly to a remote setting, there are some nuances related to the ISO certification process that have created at times more questions than straightforward answers.  A part of this has to do with the overnight changes that impacted the world, contrasted with the fact that the ISO 27001 standard is by definition just that, a standard.  As there are standardized controls prescribed by the information security management system standard (ISO 27001), many of our clients have struggled most commonly with questions around how to account for the physical and environmental security requirements of the standard.

As the ISO 27001 standard is intended for implementation by any kind of organization (everything from information technology companies, to law firms, to aerospace companies, and everything in between), the risks faced by an organization from a physical and environmental security standpoint can vary greatly.  The variance becomes even more pronounced when a significant number of the workforce has migrated to a remote business model, with some considering this as a long-term solution for a post-pandemic world.

What Have We Done to Review Physical Security Remotely?

For organizations that in the near-term have made the decision to work remotely while still maintaining control of their physical facilities during our remote ISO audits, we have requested some of the following illustrative evidence artifacts to gain comfort that physical and environmental security controls are in place:

• Master services agreements or lease agreements with the client’s building management company for the in-scope facilities

• Surveillance camera feeds relevant to the in-scope facility

• Badge access logs responsible for monitoring ingress/egress from the in-scope facility

• Visitor logs detailing who visited the facility and when

• Equipment maintenance reports for any supporting utilities in the facility

• Screen lockout configurations for workstations belonging to users relevant to the in-scope facility

• Disposal logs for any physical media relevant to the in-scope facility

• List of authorized keyholders and evidence that the appropriateness of their access is reviewed periodically

• Where local regulations and laws have permitted, along with client availability, performing remote walkthrough of the facility(ies) using a portable device

With all this in mind, there may be challenges with certain types of facilities, i.e. data centers which by design are intended to reduce visibility and remain inconspicuous for the sake of their customers.  Generally, the above items are requested at the outset, and if different workarounds are required we have been able to coordinate with our clients to identify alternative evidence artifacts to satisfy the requirements.

What About A Completely Remote Workforce?

For clients that have made the decision to permanently shutter physical offices and purely maintain a virtual workforce, there are some key considerations that need to be taken into account when pursuing ISO 27001 certification.  While ISO requires at least one physical address to be referenced on the certificate, in situations where there is no physical presence (including situations where a coworking space is utilized instead of a traditional office space), the registered business address can possibly be used to ensure that an address can be referenced on the certificate.  Some points to note when considering this approach include:

• This situation would preclude the review of certain physical and environmental security controls, and as a result, the risk assessment, risk treatment results, and statement of applicability would be reviewed for consistency with the business decision to virtualize the workforce.

• At the time of drafting this article, it is important to clarify that companies with a physical office or presence that merely prefer to not reference a physical location on their certificate do not yet have the luxury of foregoing at minimum one physical office location on the certificate.  At Schellman we are in communication with the relevant accreditation bodies and intend to communicate any relevant updates that our team comes across

What Does This Mean Going Forward?

The ISO 27001 standard has been established with a broad range of organizations in mind.  The coronavirus has changed the way the world approaches work, and it stands to reason that the certification process will similarly adapt to meet these ever-changing circumstances.  Our team at Schellman will continue to work in close coordination with the relevant accreditation bodies to stay abreast of these changing requirements and ensure that any meaningful updates are communicated.  In the meantime, we highly encourage any clients and prospects to reach out should there be any unique challenges or questions that come to a head during the discovery phase of your certification efforts.

About the Author

Alex Hsiung is a Manager with Schellman & Company, LLC based in Los Angeles, CA. Prior to joining Schellman & Company, LLC in 2015, Alex worked as an Associate at KPMG, specializing in Sarbanes-Oxley compliance audits and IT advisory engagements. Alex has more than 8 years of experience comprised of serving clients in various industries, including information technology, aerospace, and financial services. Alex is now dedicated to the International Standards Organization (ISO) team for organizations across various industries.

More Content by Alex Hsiung