ISO 27001:2022 Annex A 6.7 Remote working

/ By
ISO 27001 Annex A 6.7 Remote working

In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.7 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 6.7 Remote Working

ISO 27001 Annex A 6.7 requires organizations to implement security measures when personnel work from locations outside the traditional office, such as their homes, coffee shops, or hotels. In a post-office economy, this control ensures that your security perimeter follows your people. The goal is to mitigate the unique risks of uncontrolled environments, like unauthorised “shoulder surfing” in public or data theft from insecure home networks, ensuring that remote data is as secure as data within your four walls.

Core requirements for compliance include:

  • Mandatory Remote Policy: You must have a formal Remote Working Policy that defines what devices are allowed, how they connect, and the specific security behaviors expected of staff.
  • Technical Enforcement: Security must be automated, not optional. This includes mandatory VPN/Zero Trust gateways, Multi-Factor Authentication (MFA), and full-disk encryption on all portable devices.
  • Environmental Responsibility: Staff must be educated on physical security off-site. This includes using privacy screens in public, locking devices in safes during travel, and ensuring home Wi-Fi uses strong encryption.
  • Incident Escalation: Remote workers must know exactly how to report a lost device or a suspected breach immediately, as the response time for a remote incident is critical to preventing data leakage.
  • Shadow IT Controls: Organizations must monitor and audit the software and cloud services used by remote staff to ensure they aren’t using unauthorized “workaround” tools to get their jobs done.

Audit Focus: Auditors will look for “The Distributed Security Proof”:

  1. Staff Awareness: “If you were working in a hotel lobby today, what three steps would you take to protect your screen and connection?”
  2. Evidence of Monitoring: “Show me your MDM (Mobile Device Management) dashboard proving that 100% of remote laptops are currently encrypted and patched.”
  3. The “Home Office” Test: Auditors may ask how you verify that home working environments meet baseline safety and security standards (e.g., through a self-assessment checklist).

Remote Work Security Stack (Audit Prep):

Security Layer Recommended ISO 27001 Control Compliance Justification ISO 27001:2022 Mapping
Network VPN or Zero Trust Tunnel. Encrypts data in transit between remote endpoints and corporate infrastructure. 8.14 (Data Network Security)
Endpoint Full Disk Encryption & EDR Agents. Protects data at rest and detects anomalies if hardware is physically compromised. 8.1 (User Endpoint Devices)
Physical Privacy Screens & Cable Locks. Mitigates “shoulder surfing” and opportunistic theft in public or shared spaces. 7.7 (Clear Desk & Screen)
Identity Mandatory MFA / 2FA. Prevents unauthorised access resulting from compromised remote credentials. 5.17 (Authentication Information)
Human Home Office Self-Assessments. Provides auditable proof of compliance and employee security awareness. 6.7 (Remote Working)

Table of contents

Key Takeaways

  • If you work fully remotely then many of the ISO 27001 physical security controls do not apply to you
  • Remote working security can be addressed with technical controls
  • People need to be educated on working remotely

What is ISO 27001 Annex A 6.7?

Remote working is a work arrangement where employees perform their duties from a location other than a traditional office. This could be their home, a coffee shop, a co-working space, or any other location with a suitable internet connection. In ISO 27001 this is known as ISO27001:2022 Annex A 6.7 Remote Working. It is one of the 93 ISO 27001 Annex A controls

The requirement is for security measures to be implemented when personnel are working remotely to protect information when it is outside the organisation’s premises.

Benefits of implementing Remote Working

The main benefit is that it allows you to mitigate the risk of remote working. Remote working poses unique challenges as you do not control the physical environment so the risks need to be assessed and appropriate controls implemented. The benefits of implementing ISO 27001 Remote Working include:

  • Reduced risk of data breach due to remote working
  • Improved compliance and meet the needs of laws and regulations that require remote working controls to be place
  • Protection of confidential information
  • Building trust with employees and third parties
  • Reputation Protection because in the event of a breach having effective remote working controls in place will reduce the potential for fines and reduce the PR impact of an event.

Watch the ISO 27001 Annex A 6.7 tutorial

In the video ISO 27001 Remote Working Explained – ISO27001:2022 Annex A 6.7 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 6.7 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 6.7 Remote Working, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 6.7 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.7 Remote Working. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 6.7 Implementation Guidance

You are going to have to:

  • implement a topic specific policy for remote working
  • ensure that the information security for workers that are operating remotely is in place
  • show that what you implement complies with local laws
  • demonstrate that what you implement complies with local regulations
  • ensure that it meets the needs of the organisation
  • show that it addresses the organisational risks

This is whenever people work from a location outside of your organisations premises. This includes the old fashioned terms of teleworking and telecommuting as well as flexible workplace, fully remote, virtual work environment. They all relate, in essence, to the same thing. You will check local laws and regulations as not all recommendations and guidance can be applied every where. It is after all, general guidance.

ISO 27001 Remote Working Policy

You will need to implement a topic specific policy for remote working. The topic specific ISO 27001 Remote Working Policy Template is ready to go and fast track your implementation jam packed with everything you need.

ISO 27001 Mobile and Remote Working Policy - ISO 27001 Annex A 6.7 Template
ISO 27001 Mobile and Remote Working Policy Template

Information security implications of remote working

The security risks associated with remote working include:

  1. Data breaches
  2. Cyberattacks
  3. Fraud
  4. Employee productivity loss
  5. Employee burnout

Mitigating the security risks associated with remote working

Organisations can mitigate the security risks associated with remote working by taking a number of steps, including:

  • Implementing a remote working policy
  • Implementing a remote working procedure
  • Providing secure devices and applications to remote workers
  • Ensuring that remote workers use strong passwords and authentication methods
  • Educating remote workers about information security risks
  • Monitoring and auditing remote working activities

Physical security

There are physical security considerations for remote working that include rules and associated mechanisms: such as lockable storage, filing cabinets, shredders, printers, transportation of physical media, clear desk, and disposal of media.

Consider the person and what they are doing, doing a mini risk assessment to understand the risks they are posed and then work to implement controls to mitigate those risks.

Good examples include remote printing. Not everyone will need to remote print but for those that do you can consider providing a company printer as well as a shredder.

Will the person have access to printed information, or letters and correspondence such as bank statements or contracts. Perhaps they will have to keep physical media. In this scenario we would consider providing lockable storage.

It may be the case, but not always, that people will have a home office. We can think about if having a lock is advisable based on what they do and access.

Be sensible and be practical.

Communication security

Based on the need for remote access to organisation systems and the classification of information to be processed, stored and / or transmitted you will consider the communications security requirements. This will be driven by and in conjunction with your IT and technical teams.

Remote access technology

Consider how the remote access will be implemented such as the use of VPN or virtual desktops. How the protection technology will be implemented such as firewalls and protection against malware. How deploying and initialising, managing and patching of devices will be performed. Technology requirements can be satisfied by engaging with your IT teams.

Unique unauthorised access

Unique to remote working is the threat posed by unauthorised access by friends and family members or from people / persons in public places. There may or may not be measures you need to put in place for this. People consider things like privacy screens or providing guidance on how best to position yourself and work in a public space. Guidance on taking and making calls can be provided that include not having confidential conversations in public places where people can be easily overheard. We have all been on a train when someone reads out their bank details or slags off a colleague on the phone. Don’t be that person.

Training

You will provide training on the ISO 27001 remote working policy and procedures. This will include guidance on how to work securely in a remote environment.

Backup and business continuity

Your backup and business continuity plans and processes will take into account remote working and the associated challenges. Consider things like mobile devices and if you do in fact back them up, or not.

Insurance

Often overlooked, you will ensure that you have appropriate insurance arrangements in place to cover remote working and the risks that it poses.

Audit and security monitoring

As part of your internal audit programme you will be performing remote audits for remote workers to check that they are operating in line with policy and process. This usually involves a remote interview over camera to view the working practices.

How to implement ISO 27001 Annex A 6.7

Implementing ISO 27001 Annex A 6.7 (Remote Working) requires a robust blend of organisational policy, technical hardening, and physical security awareness. By following these steps, organisations can ensure that information assets remain protected when accessed from outside the traditional office perimeter, maintaining compliance with Information Security Management System (ISMS) standards.

1. Formalise the Remote Working Policy

Develop and approve a comprehensive policy that defines the specific conditions and security requirements under which remote work is authorised.

  • Define authorised devices, including company-issued hardware and Bring Your Own Device (BYOD) standards.
  • Document the responsibilities of the remote worker regarding the protection of sensitive information.
  • Establish clear rules for the use of public Wi-Fi and the requirement for encrypted connections.
  • Specify the types of information that are permitted or prohibited for remote access based on data classification.

2. Conduct a Remote Working Risk Assessment

Perform a targeted risk assessment to identify vulnerabilities associated with remote environments and determine necessary mitigations.

  • Identify threats such as physical theft of hardware, visual eavesdropping, and insecure network interception.
  • Evaluate the security posture of home office environments and public workspaces.
  • Assess the impact of potential data breaches originating from remote endpoints.
  • Determine appropriate technical and physical controls to reduce identified risks to an acceptable level.

3. Provision Managed Endpoint Protection and MFA

Technical hardening of remote devices ensures that the endpoint remains resilient against malware and unauthorised access attempts.

  • Deploy Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) to enforce security configurations.
  • Implement Multi-Factor Authentication (MFA) for all remote access points to corporate systems.
  • Provision Full Disk Encryption (FDE) to protect data at rest in the event of hardware loss or theft.
  • Ensure all endpoints have active Endpoint Detection and Response (EDR) software with automated update cycles.

4. Deploy Encrypted Communication Channels

Secure the transit of information between the remote worker and the corporate network using industry-standard encryption protocols.

  • Mandate the use of a Virtual Private Network (VPN) with AES-256 encryption for all internal resource access.
  • Configure split-tunnelling carefully to ensure sensitive traffic is always routed through the secure gateway.
  • Utilise secure, encrypted messaging and video conferencing tools approved by the IT security team.
  • Implement Identity and Access Management (IAM) roles to restrict remote access based on the principle of least privilege.

5. Establish Physical Security and Visual Privacy Protocols

Set mandatory physical standards for the remote workspace to prevent opportunistic theft or accidental data exposure.

  • Require the use of privacy screen filters for personnel working in high-traffic or public areas.
  • Mandate “Clear Screen” and “Clear Desk” habits, ensuring sessions are locked when the user is away from the device.
  • Provision lockable storage or cabinets for any sensitive physical documents that must be handled remotely.
  • Enforce a strict prohibition on leaving company hardware unattended in vehicles or public spaces.

6. Execute Periodic Compliance Audits and Awareness Training

Verification of adherence ensures the long-term effectiveness of the remote working controls and identifies areas for improvement.

  • Deliver mandatory security awareness training focused specifically on remote working risks and social engineering.
  • Review VPN and authentication logs regularly to identify anomalous login patterns or suspicious activity.
  • Conduct periodic checks of MDM compliance reports to ensure encryption and patching levels remain active.
  • Revoke remote access rights immediately upon termination of employment or a change in organisational role.

Working From Home (WFH) Security Checklist

Risk AreaCheckWhy?
Smart Devices“I have muted smart speakers (Alexa/Siri) during meetings.”Prevents eavesdropping.
Family Access“My device is locked when I step away (even from family).”Prevents accidental data loss by kids.
Paperwork“I do not print sensitive documents at home.”Home shredding is rarely secure.
Network“I have changed the default password on my Home Router.”Prevents basic WiFi hacking.
Visibility“My screen is not visible from the street/window.”Prevents visual hacking.

How to pass the audit of ISO 27001 Annex A 6.7

To comply with ISO 27001 Annex A 6.7 Remote Working you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Write, sign off, implement and communicate your topic specific policy on remote working
  • Write, sign off, implement and communicate your remote working procedures
  • Consider the risks of physical security and provide assets that can mitigate the risk such as screen protectors, lockable cupboards, home shredders
  • Implement communications technology that allows people to connect, use and communicate in the work environment
  • Provide on going training and awareness of the risks and mitigations associated with remote working
  • Consider the level to which remote working backup will or will not be implemented
  • Ensure that appropriate insurance is in place
  • Ensure that work environments meet all health and safety laws as well as local laws and regulations
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

To pass an audit of ISO 27001 Annex A 6.7 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Annex A 6.7. Lets go through them

1. That you have conducted audits of remote working

Remote working provides a unique challenge as it allows working in uncontrolled environments. As part of your risk assessment you will have selected the controls that you need based on risk. As part of your governance you will audit those controls based on the risk and at least annually to ensure that they are effective and operating as intended. You will keep records or audit as well as audit report and evidence that the audit reports were communicated to the right people. Where controls were seen to be in effective you will have evidence of continual improvement and risk management to show how you manage the nonconformity.

2. That you have appropriate technical controls in place

Due to the risks associated with remote working you will have evidenced that you have considered and chosen appropriate technologies to mitigate the risks. The audit will check the controls, that they appropriate, proportionate and in control. Evidence of reports, monitors and measures will be examined.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.

Top 3 ISO 27001 Annex A 6.7 mistakes and how to avoid them

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.7 Remote Working are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans on remote working. For the controls that you have implemented be able to sure the management monitors, reports and metrics. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to remote working? Do a pre audit as close to the audit as you can that checks the remote workers that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Fast Track ISO 27001 Annex A 6.7 Compliance with the ISO 27001 Toolkit

Business Type Applicability Examples of Control Implementation
Small Businesses Highly applicable for businesses that offer flexible “Work From Home” (WFH) options. The goal is to ensure that basic office security follows the employee home, focusing on simple technical safeguards and clear behavioral guidelines.
  • Providing all remote staff with a “Home Office Security Checklist” (e.g., changing default Wi-Fi passwords, muting smart speakers like Alexa during calls).
  • Enforcing Multi-Factor Authentication (MFA) for all cloud-based tools like Microsoft 365 or Google Workspace.
  • Implementing a “No Printing at Home” policy for sensitive documents to avoid the risk of unmanaged physical data disposal.
Tech Startups Essential for “Remote-First” startups with distributed global teams. Compliance involves automating remote security perimeters using modern cloud-native tools to ensure that data in transit and at rest remains secure.
  • Using Zero Trust Network Access (ZTNA) or a mandatory VPN to encrypt all traffic between remote developer laptops and the production environment.
  • Deploying Mobile Device Management (MDM) (e.g., Jamf or Intune) to enforce full-disk encryption and remote “lock and wipe” capabilities.
  • Distributing physical privacy screens to employees who work from public spaces like coffee shops or co-working hubs to prevent “shoulder surfing.”
AI Companies Vital for data scientists and engineers accessing high-performance GPU clusters from off-site. Focus is on securing the “remote terminal” and preventing the download of proprietary model weights to home networks.
  • Implementing Virtual Desktop Infrastructure (VDI) so that sensitive model training and data analysis never leave the secure cloud perimeter.
  • Requiring the use of hardware security keys (e.g., YubiKeys) for all remote administrative access to AI research environments.
  • Performing “Remote Security Audits” via video call to verify that research staff have a dedicated, private workspace for handling high-value IP.

Fast Track ISO 27001 Annex A 6.7 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 6.7 (Remote working), the requirement is for security measures to be implemented when personnel are working remotely to protect information outside the organization’s premises. This covers home offices, coffee shops, hotels, and co-working spaces.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your remote rules; if you cancel the subscription, your documented standards and training history vanish. Permanent Assets: Fully editable Word/Excel Remote Working Policies that you own forever. A localized “Remote Working Policy” defining home office security and public Wi-Fi restrictions.
Behavioral Governance Attempts to “automate” behavior via dashboards that cannot stop an employee from printing sensitive files at home. Governance-First: Formalizes employee expectations and hybrid work culture into an auditor-ready framework. A signed “WFH Security Checklist” completed by employees during their remote work induction.
Cost Efficiency Charges a “Remote Seat Tax” based on the number of users or remote endpoints monitored. One-Off Fee: A single payment covers your remote governance for 5 employees or 5,000. Allocating budget to privacy screens and hardware security keys rather than monthly software fees.
Strategic Freedom Mandates rigid reporting structures that often conflict with modern, lean hybrid work models. 100% Agnostic: Procedures adapt to any stack—corporate managed laptops, BYOD, or Virtual Desktops (VDI). The ability to evolve your remote work strategy without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 6.7, the auditor wants to see that you have a formal policy for remote working and proof that you educate your staff on it (e.g., training records and signed checklists). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 6.7 FAQ

What is ISO 27001 Annex A 6.7?

ISO 27001 Annex A 6.7 is a security control that mandates organisations to implement specific security measures for employees and contractors working from remote locations to protect information assets.

  • It requires a formal remote working policy and risk assessment.
  • It covers technical controls like VPNs, MFA, and device encryption.
  • It includes physical security requirements for the home office or public space.
  • It ensures that the organisation’s security posture remains consistent regardless of location.

Is a formal Remote Working Policy mandatory for ISO 27001?

Yes, Annex A 6.7 explicitly requires a documented policy that outlines the conditions, technical requirements, and responsibilities for remote work.

  • The policy must define authorised hardware and software for remote use.
  • It should specify the physical security standards for home environments.
  • Guidelines for handling sensitive physical documents must be included.
  • All remote workers must provide formal acknowledgement of these rules.

What technical controls are required for secure remote access?

Technical controls for remote work must ensure secure communication and data protection through a combination of encryption and robust authentication.

  • VPN: Use an encrypted Virtual Private Network for all connections to corporate systems.
  • MFA: Implement Multi-Factor Authentication for all remote access points.
  • Encryption: Enforce full-disk encryption on all mobile devices and laptops.
  • Anti-malware: Maintain up-to-date endpoint protection and managed firewalls.

How do you manage physical security for remote workers?

Physical security for remote work involves establishing a “Secure Zone” within the home or remote location to prevent unauthorised viewing or theft of data.

  • Encourage the use of privacy screens in public or shared spaces.
  • Require that laptops are never left unattended in vehicles or public areas.
  • Mandate the use of lockable cabinets for sensitive physical documents.
  • Implement “Clear Screen” habits to prevent visual eavesdropping by household members.

Can employees use personal devices (BYOD) for remote work?

Yes, personal devices can be used, provided they are managed under a formal Bring Your Own Device (BYOD) policy and meet corporate security standards.

  • Utilise Mobile Device Management (MDM) to containerise corporate data.
  • Ensure personal devices meet minimum OS version and patching requirements.
  • Implement a remote-wipe capability for corporate data only.
  • Restrict the storage of sensitive company data directly on personal hard drives.

What are the risks of remote working in ISO 27001?

The primary risks associated with remote work include insecure network connections, physical theft of devices, and unauthorised visual access to sensitive data.

  • Increased exposure to Man-in-the-Middle (MitM) attacks on public Wi-Fi.
  • Higher probability of device loss or theft outside of controlled perimeters.
  • Lack of direct supervision over information handling and document disposal.
  • Potential for “shoulder surfing” in high-traffic remote locations.

How can organisations audit remote working compliance?

Auditing remote work involves reviewing technical logs and conducting regular awareness checks to verify that security policies are being followed off-site.

  • Review VPN and MFA logs to identify anomalous login patterns.
  • Check MDM dashboards to ensure all remote devices remain encrypted and patched.
  • Conduct security awareness surveys or quizzes specifically focused on remote work.
  • Include remote working procedures in the annual internal ISMS audit.

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Annex A 5.14 Information Transfer

ISO 27001 Annex A 7.3 Securing Offices, Rooms And Facilities

ISO 27001 Annex A 7.7 Clear Desk And Clear Screen

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.20 Network SecurityISO 27001 Annex A 8.20 Network Security

Further Reading

ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

ISO 27001 Clear Desk Policy: How to Write (& Template)

ISO 27001 Logging and Monitoring Policy: How to Write & Template

ISO 27001 Clear Desk Policy: How to Write (& Template)

ISO 27001 Information Transfer Policy: How to Write (& Template)

Working Remotely at OFFICIAL and SECRET (GOV UK)

Ministry of Justice Security Guidance Remote Working

Home working: preparing your organisation and staff (National Cyber Security Centre)

ISO 27001 Annex A 6.7 Attributes Table

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveAvailability
Confidentiality
Integrity		ProtectAsset Management
Information protection
Physical security
System and Network security		Protection
, , , , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top