The basics
ISO 27001 control A.6.7 Remote working requires companies to define security rules when people are working from home or from other remote locations, in order to protect the information that is processed outside of the company’s premises.
Documentation
ISO 27001 control A.6.7 Remote working can be documented by writing a Mobile Device and Teleworking Policy.
This policy is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.6.7 Remote working you might implement the following:
- Technology — the technology to enable remote working may include software (e.g., data loss prevention software, software for remote management, etc.), hardware (e.g., dedicated devices to be used remotely), and networks (e.g., VPN, dedicated links, etc.).
- Organization/processes — you should set up a process for defining criteria to allow remote work, minimum requirements for devices allowed to be used for remote work, who must authorize remote work, and what users can and can’t do while working remotely. You can document those processes through Mobile Device and Remote Work Policy.
- People — make employees aware of the risks of working remotely, and train them on what they can and cannot do while teleworking.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.7 Remote working: if security rules when people are working from home or from other remote locations are defined.
