Do you need a physical office in order to ISO/IEC 27001 certification?

No.

The standard was written to support organisations of all sizes, all types and in all sectors. And as it is increasingly normal for organisations to be largely or entirely home-based, accessing temporary office-space if, as and when, necessary, so it has become increasingly normal for certification bodies to understand how to carry out a certification audit of such an organisation.

In practical terms, the main body of the standard (clauses 4 through 10) work for organisations in any environment. Clause 4 specifically requires that the organisation identify its business (plus regulatory and contractual) context, and this would include that the organisation operates in a virtual rather than physical environment. The Statement of Applicability would therefore identify that physical controls are mostly not required but that all the controls dealing with confidentiality, integrity and availability should be applied so as to allow for the organisation’s cyber space existence. In addition, and if appropriate, additional controls could be selected from ISO/IEC 27017 (Information security in the Cloud), ISO/IEC 27018 (PII Security in the Cloud), or ISO/IEC 27032 (Cybersecurity).  Any organisation that complies with ISO/IEC 27001 and, additionally, complies with one or more of these Cloud-related standards, will have those standards identified in their compliance certificate.

The reason we know all this is that we pioneered the delivery of consultancy support to virtual organisations and have therefore worked with certification bodies to ensure they are able to complete their independent audits.

And, of course, we have also pioneered remote working; we’ve proven, over many years and across many continents, that our clients do not need a consultant to physically attend a premises in order to provide consultancy support. We’ve helped clients of all sizes, and across most sectors, achieve ISO 27001 certification without once having a consultant physically attend site.

And all that experience has prepared us for exactly the circumstance in which we all now find ourselves: remote consultancy supporting virtual organisations operating in agile and imaginative ways to meet client needs.