ISO 27001 information security management system is built like any other ISO standard, it is structured around the same 10 clauses as other standards. These clauses follow the same high level structure that all other ISO management systems follow, and as a result, these standards all share similar principles.
However, ISO 27001 information security management system goes into further detail about different controls an organisation should implement so as to have an enhanced information security environment and perform the necessary risk management to mitigate any information security risks. There are a total of 93 such controls and are all gathered in what is known as Annex A.
When a company is looking at offices to rent in order to work in, if this company handles sensitive data, such as gaming companies, financial institutions and data warehouses, such entities need to rent a place that is highly suitable from an information security perspective.
- One of the things that must be covered is access control. Access control talks about how easy it is for a person to gain physical access to the offices. If for instance, Company XYZ is renting an office space in a shared building with other companies, what is the access of other occupants within the building to the space being rented out to Company XYZ? Is there a secure door for every office within the building? Or is there a shared open plan that all occupants can use to freely go from one office to the other?
- An additional detail which must not be overlooked is the manner of gaining access to the offices – is Company XYZ generating its own key cards for access? Or is there a physical key which a person can use to gain entry to the offices?
And what about the landlord? The landlord might ask to have the right to freely visit the offices at any given time, however, if Company XYZ deals with sensitive information, it is crucial to have clauses in the signed agreement which state that under no circumstance, can a third party member have free and unsupervised access to the offices. With such a clause in place, the landlord would need to get permission and supervision to access the offices of Company XYZ, as long as the company is renting these offices
- An additional point to keep in mind with regard to ISO 27001 information security management system when renting an office as a company is to understand the infrastructure, the wiring and the server rooms. It is crucial to know who has access to all these. Is there a CCTV to record server rooms? Is there a fire suppression system in place to protect these rooms? Is the server room well-ventilated and kept at a cool temperature? These precautions must not be overlooked. There might be a case where there is a single server room for all companies who share the building. If someone from another company enters the server room where your server is located, will they automatically have unrestricted access to your server? Or will your server have additional layers of security to restrict access?
- Equipment maintenance is the next thing to look out for. One of the requirements of ISO certification for ISO 27001 information security management system is to have a maintenance plan on all equipment being used within the organisation which is related to the preservation of information. For most companies, such a maintenance plan generally includes software updates and equipment updates of all owned equipment within the offices.
However, certain equipment, such as fire extinguishers, fire suppression systems and shared air conditioners, are owned and maintained by the landlord. In that case, it is important that in the rental agreement, you should check with the landlord that this is indeed the case to put your mind at ease.
- And what about disaster recovery? Remember that disaster recovery is the organisation’s ability to get back on track after a disaster strikes. It is focused solely on getting the IT infrastructure back in shape. If Company XYZ will be renting a space with shared offices, it is important to consider the safety measures and precautions that are taken for emergency situations. What will happen if the power goes out? Will the power generator kick in? and are there fire drills carried out, and if so how often are they done?