ISO 27001 for Remote Work – Changes and Updates for Certification

ISO 27001 for Remote Work – Changes and Updates for Certification

Over the past two years, many businesses have moved to a hybrid or fully remote environment. While this has become a necessity for many, there are security risks to consider with taking a business remote. Organizations may lack visibility into the security of home networks and must be extra cautious with Bring-Your-Own-Device (BYOD) practices, which are just two examples of areas that require increased security needs.

It’s no wonder that information security is top of mind for many leaders at organizations that have shifted to remote work. As such, it’s more important than ever to ensure you have an ISO 27001 certification that confirms your information security management practices are up to snuff and your company is able to protect important information and data.

If you already received an ISO/IEC 27001:2013 certification, but recently made changes to the physical environment in which employees work, you may be wondering if you need to update that certification. The short answer? Yes.

Below, we’re answering some commonly asked questions about this process.

If My Organization Has Gone Remote, Do I Need a New ISO 27001 certificate?

Yes. Organizations that switched to a remote work environment need to update ISO 27001 certificates to reflect any locations or operations that are new or no longer relevant to their business.

How Do I Go About Getting an Updated Certification?

At A-LIGN (an accredited ISO 27001 certification body), we’ve made this process as simple as possible. If your organization has recently gone remote, you’ll need to submit an updated  application letter to our team. This letter should outline the scope and all locations relevant to your business and the relevant activities performed at each of those locations.

We will then review the updated application letter and confirm that all activities listed are still within the scope of your certification. The experts at A-LIGN will look for any relevant changes to your business and confirm if any of your operations — for example, products or software developed — have shifted. We’ll review and confirm any physical environment changes as well.

Pro tip: Even if you are classified as a fully remote company you will still need an address on file to identify your company moving forward. A P.O. Box is fine for this identifier.

What If I’ve Switched to a Hybrid Environment, But Haven’t Gone Fully Remote?

Although we’re specifically talking about companies that have gone, or are planning to go, fully remote, this process also applies for businesses who have undergone headcount changes, switched to a hybrid environment, or added or removed certain office locations. This is also relevant for companies who have updated the location of their headquarters — something we’ve seen many organizations do during the COVID-19 pandemic as leases have expired and less expensive cities beckon.

Will the Audit Process Change for My Remote Company?

The ISO 27001 certification process itself will look a bit different for remote companies. Typically, audits include a physical walkthrough of relevant locations, where auditors can assess the operations in-person. This obviously hasn’t been easy to achieve throughout the pandemic; in fact, our experts conducted audits remotely to protect the safety and well-being of our employees and yours.

Regardless of how the audit takes place, remote businesses are still beholden to all of the control domains within the ISO  27001 standard. Many remote customers have asked us about Annex A.11, specifically. Some of the controls within this section reference the physical and environmental security of a business, with a goal to prevent unauthorized access or damage to information processing facilities (think: physical security perimeters around buildings and data centers, entry controls, access credentials, etc.). While those specific controls won’t be relevant for a fully remote business, Annex A.11 at large will still be part of the audit process. Remote businesses are still beholden to all other controls listed within this Annex, such as equipment maintenance and protection.

Receive an ISO 27001 Certification for Your Remote Business with A-LIGN

A-LIGN is an experienced certification body that has helped many organizations update their ISO 27001 certificate to reflect remote and hybrid work environments during this ongoing global pandemic. Our goal is to help you ensure that the integrity of your Information Security Management System remains intact, regardless of where your employees choose to work.