Can a Remote Team Maintain ISO 27001 Compliance?
Yes. ISO 27001 has no requirement that anyone work from a physical office. What changes for a remote team is which controls carry the most weight, not whether certification is possible.
A remote team can get ISO 27001 certified, and can stay certified through every surveillance audit, with no office at all. Nothing in the standard requires one. What actually changes for a distributed team is which controls end up carrying the most weight, not whether certification is on the table.
That distinction gets lost because ISO 27001's Annex A includes a physical theme, badge readers, visitor logs, clean-desk rules, the language of a building with a front door. It is easy to read that and assume the standard was written for a single office everyone commutes to. It was not. Annex A's physical controls were written to apply "where relevant," and for a company with no office, most of them are not. The standard was never actually written assuming one controlled environment; it was written to be selected and justified per company, which is exactly what the Statement of Applicability is for.
Does ISO 27001 require a physical office?
No. Nothing in ISO/IEC 27001:2022 makes a physical premises a precondition for certification. The Statement of Applicability, the document that records which of the 93 Annex A controls apply to your company and why, exists precisely because not every control applies to every company. A remote-first company can mark most physical-security controls as not applicable, explain that the company has no office to secure, and that is a legitimate, auditable position rather than a workaround.
Auditors are used to this. Remote and distributed companies get certified regularly, and Stage 2 audits, the on-site-or-remote review of whether the ISMS is actually operating, are routinely conducted over video call rather than in person. The certification cycle itself, covered in more depth on the ISO 27001 framework page, does not have a remote-team variant. It is the same two stages, the same three-year certificate, the same annual surveillance audits, whether the company has a headquarters or has never had one.
What actually changes for a remote team's ISMS?
The scope of the ISMS and the emphasis inside it, not the requirements. Two control areas end up doing more work than they would for an office-based company, because they are covering for something a physical perimeter used to handle by default.
Device management and endpoint security become more central, because company data now lives on whatever network each person's laptop happens to be connected to, home routers, coffee shop wifi, a co-working space nobody vetted. An office network is one thing to secure. A dozen home networks the company does not control and never will are a different problem, and Annex A's technological controls, disk encryption, endpoint detection, patch management, secure configuration, have to actually be enforced on every device rather than assumed because the device never leaves a building the company controls.
Access control and identity management carry more of the burden for the same reason. In an office, a locked door and a receptionist quietly did part of the job of deciding who could reach a workstation at all. Remote, that job moves entirely onto identity: single sign-on, multi-factor authentication, role-based permissions, deprovisioning that actually happens the day someone leaves rather than whenever someone remembers. None of this is a new Annex A control invented for remote teams. It is the same access-control theme that already exists in the standard, just carrying more of the actual risk because there is no other layer behind it.
Does remote work make evidence collection harder?
In one specific way, it can actually be easier, if it is set up deliberately. The theme that runs through all of ISO 27001, and through the framework page's honest description of the hard part, is that the ISMS has to keep operating and keep producing evidence continuously, not just look complete on the day of the audit. Surveillance audits exist specifically to catch a management system that stopped being followed after certification.
Remote teams tend to already run more of their actual work through systems that log what happened: cloud infrastructure with its own audit trail, SaaS tools with activity logs, ticketing systems that record who did what and when. An office-based team can get by on tacit, undocumented process, walking over to someone's desk, a decision made in a hallway, because presence substitutes for a record. A distributed team mostly cannot; if it did not happen in a system, it is hard to prove it happened at all. That habit, work happening in trackable digital tools rather than informal in-person exchange, can generate a meaningful share of ISO 27001 evidence as a byproduct of how the team already operates, provided the logging and retention are configured with the audit in mind rather than left to whatever each tool does by default. Left informal, the same distributed work produces nothing usable, which is the gap the ISO 27001 compliance checklist walks through control by control.
Where do remote teams commonly get this wrong?
The mistake is not skipping controls. It is drawing the wrong conclusion from "we have no office." The reasoning usually goes: no office means no physical perimeter, no physical perimeter means there is nothing really to secure on that front, so the physical theme gets marked out of scope and nobody asks what replaced it. That last step is the error. The perimeter did not disappear. It moved, from a building to an identity and a device, and it still needs to be secured with the same seriousness a locked door used to provide implicitly.
Marking physical controls not applicable in the Statement of Applicability is correct and defensible. Treating that as license to under-invest in the controls that took over the perimeter's job, endpoint management, identity, session and access controls, is not the same decision, and it is the one that shows up as a finding in Stage 2 or in a surveillance audit two years in. The Statement of Applicability is supposed to be a system that reflects how the company actually works, not a form that gets filled out once to make a section of Annex A go away.
Frequently asked questions
Can a fully remote company get ISO 27001 certified? Yes. Certification scope is defined by the company applying, not by whether it has a physical office. Auditors certify organizations with no office at all, and the standard itself was written to account for varied work environments rather than assuming a single controlled building.
Does ISO 27001 require physical office controls? Annex A includes a physical theme, badge access, visitor logs, clean-desk practice, and so on, but those controls only apply where relevant. A Statement of Applicability can mark most physical controls out of scope for a distributed team and justify why, which is a normal, defensible position, not a shortcut.
What matters most for ISO 27001 in a remote team? Device management and access control carry more of the weight than they would in an office-based company. Endpoint security has to cover devices on networks the company does not control, and identity and access management has to do the job a locked office door used to do implicitly.
Does remote work make ISO 27001 evidence collection harder? Not necessarily, and in one specific way it can be easier. Remote teams tend to run more of their actual work through trackable digital systems, cloud infrastructure, SaaS tools, ticketing, which can generate audit evidence as a byproduct if that collection is set up deliberately from the start.
What is the most common mistake remote teams make with ISO 27001? Treating the absence of a physical office as a reason to under-scope the ISMS, rather than redesigning the perimeter around identity and device management. "We are remote so there is no real perimeter" is the wrong conclusion. The right one is that the perimeter moved.
Is the ISO 27001 audit process different for a remote or distributed company? No. The two-stage certification process, the Statement of Applicability, the risk assessment, and the annual surveillance audits are the same regardless of where the team works. Auditors routinely conduct Stage 2 audits remotely and evaluate distributed teams against the same standard.
Last reviewed: July 12, 2026.
Where Scadable fits
Scadable builds the ISMS around how a team actually works, remote-first or hybrid, instead of assuming an office-perimeter model that has not matched reality for years. That means the Statement of Applicability reflects the real scope, and the controls that actually carry the weight for a distributed team, device management, identity and access control, get built as real infrastructure rather than a paragraph in a policy nobody enforces. The continuous evidence collection every surveillance audit depends on is exactly the kind of infrastructure work Scadable implements and maintains, rather than leaving it as a manual habit someone has to remember. Book a call to see what that looks like for your team.
