Implementing ISO 27001 Annex A 6.7 is a critical security mandate establishing a hardened, zero-trust teleworking environment to protect data outside the corporate perimeter. This control requires strict endpoint encryption, always-on VPNs, and physical security protocols for home offices, providing the business benefit of secure remote operations and reduced liability from lost or compromised portable devices.

ISO 27001 Annex A Remote Working Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.7. This control requires the establishment of a hardened, zero-trust environment for teleworking, assuming that every home network is hostile and every coffee shop Wi-Fi is compromised.

1. Enforce Full-Disk Encryption (FDE)

Control Requirement: Protect data at rest on portable devices used remotely. Required Implementation Step: Configure your MDM (Mobile Device Management) policy (e.g., Intune, Kandji) to mandatorily enable BitLocker (Windows) or FileVault (macOS) before the device is allowed to access corporate resources. Escrow the recovery keys to your central management console, not the user’s local account.

Minimum Requirement: 100% of remote endpoints encrypted with recovery keys centralized in the MDM.

2. Mandate Always-On VPN or ZTNA

Control Requirement: Secure communication over untrusted public networks. Required Implementation Step: Deploy an “Always-On” VPN profile or a Zero Trust Network Access (ZTNA) agent (e.g., Cloudflare WARP, Zscaler) that forces all traffic through your secure gateway. The device must not be capable of accessing the internet directly without passing through your security stack (DNS filtering, IPS).

Minimum Requirement: Network logs showing all remote traffic routing through the corporate secure gateway.

3. Implement Geofencing and Impossible Travel Logic

Control Requirement: Detect and block unauthorised remote access attempts. Required Implementation Step: Configure your Identity Provider (IdP) to block logins from high-risk countries where you have no staff. Enable “Impossible Travel” alerts to automatically suspend accounts that log in from London at 09:00 and Moscow at 09:15.

Minimum Requirement: Conditional Access policies blocking non-operational geolocations.

4. Restrict Printing and Local Storage

Control Requirement: Prevent data leakage outside the corporate boundary. Required Implementation Step: Use Endpoint Protection policies to disable the “Print to Local Printer” spooler service and block USB mass storage devices. Remote workers should not be printing sensitive PII on their family inkjet printer where pages can be lost or seen by visitors.

Minimum Requirement: Configuration settings proving USB and local print blocking are active.

5. Secure the Home Wi-Fi Environment

Control Requirement: Provide guidance on securing the physical connection point. Required Implementation Step: Issue a “Home Network Security Standard” requiring staff to change default router passwords and enable WPA2/WPA3 encryption. While you cannot enforce this technically without intrusion, you must make it a policy violation to connect to open/unsecured WEP networks.

Minimum Requirement: A signed Teleworking Policy where the user attests to securing their home router.

6. Define Physical Security for Home Offices

Control Requirement: Prevent oversight and theft of assets in domestic settings. Required Implementation Step: Mandate a “Clean Desk Policy” for the home. Users must agree to lock their screen when answering the door and store laptops in a secure location (e.g., a locked drawer) when not in use. Prohibit the use of voice assistants (Alexa/Siri) in rooms where confidential meetings occur.

Minimum Requirement: Training acknowledgement regarding voice assistants and physical locking of devices.

7. Enforce Screen Privacy Filters

Control Requirement: Prevent shoulder surfing in public workspaces. Required Implementation Step: Provide physical privacy screens to all staff who work in shared spaces (cafés, trains, co-working hubs). Update the policy to mandate their use whenever the screen is visible to the public. Visually verify this during random video calls or office visits.

Minimum Requirement: Purchase orders or asset logs confirming distribution of privacy filters to mobile staff.

8. Implement Remote Wipe Capabilities

Control Requirement: Capability to sanitise compromised or lost devices remotely. Required Implementation Step: Verify that your MDM can execute a “Corporate Wipe” (removing only business data) for BYOD and a “Full Wipe” for corporate devices. Test this capability annually on a test device to ensure it executes even if the device is not on the VPN.

Minimum Requirement: Successful test logs of a remote wipe command execution.

9. Segregate Family Use from Corporate Use

Control Requirement: Prevent unauthorised users (family members) from accessing systems. Required Implementation Step: Strict configuration: The laptop is for the employee only. Create a policy that forbids family members from using the device for homework or browsing. Technically enforce this by disallowing the creation of secondary local user accounts on the OS.

Minimum Requirement: Policy explicitly banning family use, backed by OS settings preventing new user creation.

10. Establish Virtual Meeting Security Protocols

Control Requirement: Secure remote collaboration channels. Required Implementation Step: Configure Zoom/Teams/Meet settings centrally. Force waiting rooms for external guests, disable “Join before Host,” and require passcodes for all meetings. Disable file transfers in chat for external participants to prevent malware ingress.

Minimum Requirement: Global configuration settings for video conferencing tools enforcing security defaults.

ISO 27001 Annex A 6.7 SaaS / GRC Platform Implementation Failure Checklist

The gap between GRC dashboard compliance and technical reality for Control 6.7.
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Disk Encryption	Asking users “Is your laptop encrypted?” in a survey.	Users don’t know what BitLocker is. Unless your MDM reports “Encryption: On”, assume it is Off.
VPN Usage	Providing a VPN client but not enforcing it.	If the VPN is optional, users will turn it off to watch Netflix or because “it slows down the internet”. It must be Always-On.
Physical Security	A policy saying “work in a secure room”.	Most staff work from the kitchen table. Policy must reflect reality (e.g., “Lock screen when leaving the room”) rather than fantasy.
Family Access	Trusting staff not to let kids play Roblox on the work laptop.	Trust is not a control. You must technically block the installation of games and the creation of guest accounts.
Remote Wipe	Assuming Exchange ActiveSync will handle it.	ActiveSync wipes email. It doesn’t wipe the local PDF files downloaded to the desktop. You need a full MDM agent.
Public Wi-Fi	Banning Public Wi-Fi in the policy.	Staff will use coffee shop Wi-Fi. It’s inevitable. You need to secure the connection (VPN) rather than banning the behaviour.
Smart Speakers	Ignoring Alexa/Google Home devices.	These devices record audio. If you discuss mergers in front of a smart speaker, you are broadcasting to a third-party cloud.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.