If there's any followup then Grant and I can take it off-thread, but for clarity:

On 27 December 2017 at 21:50, Grant Taylor via TUHS <tuhs@minnie.tuhs.org> wrote:

now reflected in companies explaining to ISO27001 auditors that "well, we don't actually possess any physical servers..."

Okay. How does (the lack of) physical servers actually impact ISO 27001 compliance? - From my read of the Wikipedia article I don't see how (the lack of) physical on premise servers changes anything.

There is none; but the preconceptions which are exposed when <crusty old auditor or consultant> meets his/her first <tiny agile startup suddenly needing certification in order to meet $govt_sales_requirement> - are hilarious to experience.

Q: "Where are the servers?"

A: "Well, that depends..."

...etc.

-a

http://dropsafe.crypticide.com/aboutalecm