• (0)

    ISO 27001 & ISO 22301 Blog

    How to apply information security controls in teleworking according to ISO 27001

    Allowing employees to work away from the office, i.e., outside of the physical premises of the organization (otherwise known as “teleworking”) is becoming a common practice in the way to do business today. The ability to work remotely is seen as both a source of incentive for an employee’s productivity and cost savings for organizations, not to mention the possibility for the organization to reach the right professional it wants in any part of the world.

    But, this scenario of information outside the direct control of the organization also poses significant risks to information security that should be handled properly. In this article, you will see the potential risks of teleworking and how ISO 27001, a leading international standard that describes how to manage information security, can be used to help protect information in such conditions.

    What exactly is teleworking?

    There are many definitions of teleworking addressed in the literature, but most of them have these two things in common:

    • The worker is outside of the organizations’ environment.
    • Information and communication technologies are used to stay linked to the office.

    Considering this, we can have these possible scenarios for teleworking:

    • People are working from home or from a place that neither is their home or the organization (e.g., coffee shops, hotels, planes, etc.).
    • People are using fixed or mobile devices (e.g., PCs, notebooks, tablets, smartphones, etc.).
    • People are using public or private communication networks (e.g., Internet and Extranet).

    Knowing these scenarios is critical to identify the most probable situations that can put your information at risk.

    Risks associated to teleworking

    From the scenarios previously presented, an information security risk assessment could raise the following risks:

    • An employee’s family or friends can use the device accessing the organization’s systems and see sensitive information.
    • Hardcopy material used at the remote work site can be lost or stolen.
    • The device itself can be lost or stolen.
    • A device lost or stolen can be used to gain unauthorized access to the organization’s systems.
    • Information can be intercepted during transmission between the organization and the device.
    • The communication channel can be intercepted and used to invade the organization’s environment.
    • An outdated device can be compromised and used to invade the organization’s systems.
    • Information could be copied and extracted from the organization’s environment without anyone knowing.

    It’s important to note that, although all devices are at risk of being lost or stolen, the nature of mobile devices (e.g., size, portability, and value) increases this risk.

    Applying ISO 27001 controls to teleworking

    Based on already-proven best practices, ISO 27001 controls described in its Annex A, and detailed in ISO 27002, can help organizations to handle teleworking risks in various forms, and the primary one is the definition of a Mobile device and telework policy based on controls A.6.2.1 (Mobile device policy) and control A.6.2.2 (Teleworking).

    Through this policy, an organization can establish the rules for the implementation of safeguards to protect information accessed, processed, or stored outside the organization, such as:

    Additionally, by implementing an information security awareness, education, and training program based on control A.7.2.2, an organization can structure its efforts to enhance the secure behavior of its teleworkers by instructing them to take safety precautions related to opening emails, setting strong passwords on their devices, and making clear that information compromise related to a lack of caution could result in disciplinary proceedings and even legal action. For more information, see: 8 Security Practices to Use in Your Employee Training and Awareness Program.

    Keep information secure, even away from the organization

    No matter in what industry you work, at some point your organization, or at least part of it, will start relying on telework. The connectivity provided by information and communication technologies not only allows employees to work from anywhere, increasing productivity and improving response time, but also enables organizations to count on trained professionals from anywhere in the world.

    But, by exposing your infrastructure, systems, and information in this way, an organization needs to take precautions for the high risks involved, and with the help of the requirements of ISO 27001 for information security risk management, and the security controls of its Annex A, this task can become less complex and allow you to take full advantage of teleworking with the least risk.

    To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.