Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

How to apply information security controls in teleworking according to ISO 27001

Allowing employees to work away from the office, i.e., outside of the physical premises of the organization (otherwise known as “teleworking”) is becoming a common practice in the way to do business today. The ability to work remotely is seen as both a source of incentive for an employee’s productivity and cost savings for organizations, not to mention the possibility for the organization to reach the right professional it wants in any part of the world.

But, this scenario of information outside the direct control of the organization also poses significant risks to information security that should be handled properly. In this article, you will see the potential risks of teleworking and how ISO 27001, a leading international standard that describes how to manage information security, can be used to help protect information in such conditions.

What exactly is teleworking?

blogpost-banner-bia-en

There are many definitions of teleworking addressed in the literature, but most of them have these two things in common:

  • The worker is outside of the organizations’ environment.
  • Information and communication technologies are used to stay linked to the office.

Considering this, we can have these possible scenarios for teleworking:

  • People are working from home or from a place that neither is their home or the organization (e.g., coffee shops, hotels, planes, etc.).
  • People are using fixed or mobile devices (e.g., PCs, notebooks, tablets, smartphones, etc.).
  • People are using public or private communication networks (e.g., Internet and Extranet).

Knowing these scenarios is critical to identify the most probable situations that can put your information at risk.

Risks associated to teleworking

From the scenarios previously presented, an information security risk assessment could raise the following risks:

  • An employee’s family or friends can use the device accessing the organization’s systems and see sensitive information.
  • Hardcopy material used at the remote work site can be lost or stolen.
  • The device itself can be lost or stolen.
  • A device lost or stolen can be used to gain unauthorized access to the organization’s systems.
  • Information can be intercepted during transmission between the organization and the device.
  • The communication channel can be intercepted and used to invade the organization’s environment.
  • An outdated device can be compromised and used to invade the organization’s systems.
  • Information could be copied and extracted from the organization’s environment without anyone knowing.

It’s important to note that, although all devices are at risk of being lost or stolen, the nature of mobile devices (e.g., size, portability, and value) increases this risk.

Applying ISO 27001 controls to teleworking

Based on already-proven best practices, ISO 27001 controls described in its Annex A, and detailed in ISO 27002, can help organizations to handle teleworking risks in various forms, and the primary one is the definition of a Mobile device and telework policy based on controls A.6.2.1 (Mobile device policy) and control A.6.2.2 (Teleworking).

Through this policy, an organization can establish the rules for the implementation of safeguards to protect information accessed, processed, or stored outside the organization, such as:

Additionally, by implementing an information security awareness, education, and training program based on control A.7.2.2, an organization can structure its efforts to enhance the secure behavior of its teleworkers by instructing them to take safety precautions related to opening emails, setting strong passwords on their devices, and making clear that information compromise related to a lack of caution could result in disciplinary proceedings and even legal action. For more information, see: 8 Security Practices to Use in Your Employee Training and Awareness Program.

Keep information secure, even away from the organization

No matter in what industry you work, at some point your organization, or at least part of it, will start relying on telework. The connectivity provided by information and communication technologies not only allows employees to work from anywhere, increasing productivity and improving response time, but also enables organizations to count on trained professionals from anywhere in the world.

But, by exposing your infrastructure, systems, and information in this way, an organization needs to take precautions for the high risks involved, and with the help of the requirements of ISO 27001 for information security risk management, and the security controls of its Annex A, this task can become less complex and allow you to take full advantage of teleworking with the least risk.

To learn more about securing teleworking and other situations involving information use according to ISO 27001, try our free online training  ISO 27001:2013 Foundations Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
How to sell ISO consulting services
Wednesday - September 13, 2017

OUR PARTNERS


  • Exemplar Global (formerly RABQSA) is leading international
    authority in certification of training providers.

  • ITIL® is a registered trade mark of AXELOS Limited.
    Used under licence of AXELOS Limited. All rights reserved.

  • DNV GL Business Assurance is one of the leading providers of
    accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933