top of page
Gary Hibberd

ISO27001:2022 - A6.7 – Remote Working

Updated: Aug 2




This ISO27001 control has become increasingingly important since the Pandemic forced many organisations to adapt to home working. But remote working doesn’t just mean working from home. Along with the increase in home working (due to the pandemic) we have increasingly adopted the use of mobile technology, allowing us to work anywhere, at any time.

 

It’s therefore clearly important that we now think more broadly about Information Security, beyond the confines of our office spaces.  Our office spaces are under our control, but when people work remotely, we need to implement controls that not only protect information but also recognise the flexibility that remote working can bring.



 

What does the standard require?

The standard states that “Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organisation's premises...” (A6.7 – Remote Working).

 

Why is this required?

With the increase in people working remotely, we need to ensure we establish clear rules and controls which protect people and devices while they are outside our strict control.  In the past, computers were largely confined to the office, and therefore it was relatively easy to protect information processed by the business.

 

In modern businesses, we increasingly access and process data while on the move, which increases risks to privacy and data, from loss, theft or accidental exposure. If you’re reading this on your mobile device, consider for a moment how much that device also accesses and processes.  These devices can easily be lost or stolen, which could place data subjects and your business at risk.

 

Speaking at a conference, we asked people to raise their hands if they had either lost a mobile phone, laptop or tablet, or had one stolen while on the move.  One attendee told us the following story.

 

“After a long day working on client site, I arrived home late and because I was eager to spend time with my family, I left my jacket hanging in the back of the car, and my laptop bag behind the drivers seat (where I always left it). It had been a long day, and I knew I had an early start the next morning, so I went to bed as soon as the kids were settled.  Unfortunately, when I went to the car in the morning, I found that the window had been smashed. My jacket was gone, and my laptop with it.”

 

The loss of a laptop isn’t the risk, but the data upon it could be an issue. However, it is the disruption to the business and to your life that could be the biggest risk. The same is true if you’ve ever lost your mobile phone! The data upon it is an issue, but the impact on our lives is even more disruptive.

 

What the auditor is looking for

Note that this ISO27001 control speaks of “Security measures”, therefore there are several aspects that the auditor will be looking at, that can demonstrate you have implemented controls which protect data. These controls can include;

 

  • Remote Working Policy

  • Acceptable Use Policy

  • Access Control Policies

  • Cryptographic Controls

  • Malware protection

  • Virtual Private Network (VPN) controls

  • Privacy screens on device(s)

  • Awareness, Training and Education records

 

What do you need to do?

Although it is not specifically mandated, we would recommend either defining a specific Remote Working Policy, or adding a section to your Acceptable Use Policy.  Whichever approach you take, you should outline what remote working means, and what you expect from your personnel.

 

Remember that remote working not only refers to home working. It also relates to working in public spaces, like client sites, café and bars, trains and planes.  We’ve even heard of people working on the beach while on holiday (does that sound familiar?!), so ‘remote’ can mean many things.

 

If you have the budget, we would always recommend installing privacy screens on devices, which prevent casual onlookers seeing what is on your screen. 

 

But the most important aspect to this control is to explain to your personnel that they have a responsibility to protect the devices, and data that they are entrusted with. Therefore, make sure you include remote working policies in your awareness programme.  Provide advice about how to stay protected while working away from the office, such as using a VPN, not using free WiFi, and storing devices away securely when left unattended.

 

We are often shocked (but not surprised) how many people leave laptops unattended on trains, as they go to the toilet or the buffet car! Next time you’re on a train, see how many times you spot this practice.

 


Q & A

What do we need to do if someone loses a mobile device?

You need to have a process to deal with this, and it should be part of your awareness training that you explain what the process is.  Some may think this is just a matter for IT, but if the device contains personal data, then it could be a matter for the Data Protection Officer (DPO). They will then decide what is the action to take following the loss.

 

Difficulty rating

We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t difficult, but evidence will come from the demonstration of both organisational and technical security measures.  You shouldn’t rely upon one measure, so this can get quite complex.  You will also need to explore the use of some of the more technical measures available, such as VPN, malware protection and cryptographic controls. 


 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

 

 

17 views
bottom of page