In this ultimate how to audit guide to ISO 27001 Annex A 6.7 Remote Working, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 6.7 Remote Working Audit Checklist
- 1. Remote Working Policy Formalisation Verified
- 2. Endpoint Encryption Enforcement Confirmed
- 3. Multi-Factor Authentication (MFA) Implementation Validated
- 4. Physical Security Requirements for Remote Locations Verified
- 5. Secure Communication Channel Usage Confirmed
- 6. Split Tunnelling and Web Filtering Controls Validated
- 7. Personal Device (BYOD) Usage Restrictions Verified
- 8. Remote Incident Reporting Awareness Confirmed
- 9. Antivirus and Patch Compliance Monitoring Verified
- 10. Secure Remote Support Protocols Validated
Auditing ISO 27001 Annex A 6.7 Remote Working is the technical evaluation of security controls applied to off-site operations. The Primary Implementation Requirement involves enforcing endpoint encryption and multi-factor authentication, ensuring the Business Benefit of maintaining information integrity and confidentiality regardless of the physical location of the personnel.
ISO 27001 Annex A 6.7 Remote Working Audit Checklist
This technical verification tool is designed for lead auditors to establish the security integrity of off-site operations. Use this checklist to validate compliance with ISO 27001 Annex A 6.7.
1. Remote Working Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the security requirements for working from remote locations, including physical security and technical access controls.
Required Evidence: Approved Remote Working Policy with explicit version control and senior management sign-off.
Pass/Fail Test: If the organisation cannot produce a formal policy specifically addressing remote work risks, mark as Non-Compliant.
2. Endpoint Encryption Enforcement Confirmed
Verification Criteria: All corporate devices used for remote work must have full-disk encryption (FDE) enabled to protect data in the event of theft or loss.
Required Evidence: MDM (Mobile Device Management) reports or configuration screenshots showing BitLocker, FileVault, or equivalent status as ‘Active’ for all remote endpoints.
Pass/Fail Test: If a sample of remote laptops shows that disk encryption is disabled or not managed centrally, mark as Non-Compliant.
3. Multi-Factor Authentication (MFA) Implementation Validated
Verification Criteria: Secure remote access to organisational systems must be protected by robust multi-factor authentication.
Required Evidence: IAM (Identity and Access Management) configuration logs showing mandatory MFA for VPN, SaaS applications, and VDI environments.
Pass/Fail Test: If remote access to the corporate network or primary cloud environment allows for single-factor (password-only) authentication, mark as Non-Compliant.
