Remote working is a work arrangement where employees perform their duties from a location other than a traditional office. This could be their home, a coffee shop, a co-working space, or any other location with a suitable internet connection. In ISO 27001 this is known as ISO27001:2022 Annex A 6.7 Remote Working. It is one of the 93 ISO 27001 Annex A controls.
The requirement is for security measures to be implemented when personnel are working remotely to protect information when it is outside the organisation’s premises.
Key Takeaways
- If you work fully remotely then many of the ISO 27001 physical security controls do not apply to you
- Remote working security can be addressed with technical controls
- People need to be educated on working remotely
Table of contents
- Key Takeaways
- Benefits of implementing Remote Working
- Watch the tutorial
- How to implement ISO 27001 Remote Working
- How to pass the audit
- What the auditor will check
- Top 3 Mistakes People Make
- ISO 27001 Remote Working FAQ
- Related ISO 27001 Controls
- Further Reading
- External Links
- ISO 27001 Annex A 6.7 Attributes Table
Benefits of implementing Remote Working
The main benefit is that it allows you to mitigate the risk of remote working. Remote working poses unique challenges as you do not control the physical environment so the risks need to be assessed and appropriate controls implemented. The benefits of implementing ISO 27001 Remote Working include:
- Reduced risk of data breach due to remote working
- Improved compliance and meet the needs of laws and regulations that require remote working controls to be place
- Protection of confidential information
- Building trust with employees and third parties
- Reputation Protection because in the event of a breach having effective remote working controls in place will reduce the potential for fines and reduce the PR impact of an event.
Watch the tutorial
In the video ISO 27001 Remote Working Explained – ISO27001:2022 Annex A 6.7 I show you how to implement it and how to pass the audit.
How to implement ISO 27001 Remote Working
You are going to have to:
- implement a topic specific policy for remote working
- ensure that the information security for workers that are operating remotely is in place
- show that what you implement complies with local laws
- demonstrate that what you implement complies with local regulations
- ensure that it meets the needs of the organisation
- show that it addresses the organisational risks
This is whenever people work from a location outside of your organisations premises. This includes the old fashioned terms of teleworking and telecommuting as well as flexible workplace, fully remote, virtual work environment. They all relate, in essence, to the same thing. You will check local laws and regulations as not all recommendations and guidance can be applied every where. It is after all, general guidance.
ISO 27001 Remote Working Policy
You will need to implement a topic specific policy for remote working. The topic specific ISO 27001 Remote Working Policy Template is ready to go and fast track your implementation jam packed with everything you need.
Information security implications of remote working
The security risks associated with remote working include:
- Data breaches
- Cyberattacks
- Fraud
- Employee productivity loss
- Employee burnout
Mitigating the security risks associated with remote working
Organisations can mitigate the security risks associated with remote working by taking a number of steps, including:
- Implementing a remote working policy
- Implementing a remote working procedure
- Providing secure devices and applications to remote workers
- Ensuring that remote workers use strong passwords and authentication methods
- Educating remote workers about information security risks
- Monitoring and auditing remote working activities
Physical security
There are physical security considerations for remote working that include rules and associated mechanisms: such as lockable storage, filing cabinets, shredders, printers, transportation of physical media, clear desk, and disposal of media.
Consider the person and what they are doing, doing a mini risk assessment to understand the risks they are posed and then work to implement controls to mitigate those risks.
Good examples include remote printing. Not everyone will need to remote print but for those that do you can consider providing a company printer as well as a shredder.
Will the person have access to printed information, or letters and correspondence such as bank statements or contracts. Perhaps they will have to keep physical media. In this scenario we would consider providing lockable storage.
It may be the case, but not always, that people will have a home office. We can think about if having a lock is advisable based on what they do and access.
Be sensible and be practical.
Communication security
Based on the need for remote access to organisation systems and the classification of information to be processed, stored and / or transmitted you will consider the communications security requirements. This will be driven by and in conjunction with your IT and technical teams.
Remote access technology
Consider how the remote access will be implemented such as the use of VPN or virtual desktops. How the protection technology will be implemented such as firewalls and protection against malware. How deploying and initialising, managing and patching of devices will be performed. Technology requirements can be satisfied by engaging with your IT teams.
Unique unauthorised access
Unique to remote working is the threat posed by unauthorised access by friends and family members or from people / persons in public places. There may or may not be measures you need to put in place for this. People consider things like privacy screens or providing guidance on how best to position yourself and work in a public space. Guidance on taking and making calls can be provided that include not having confidential conversations in public places where people can be easily overheard. We have all been on a train when someone reads out their bank details or slags off a colleague on the phone. Don’t be that person.
Training
You will provide training on the ISO 27001 remote working policy and procedures. This will include guidance on how to work securely in a remote environment.
Backup and business continuity
Your backup and business continuity plans and processes will take into account remote working and the associated challenges. Consider things like mobile devices and if you do in fact back them up, or not.
Insurance
Often overlooked, you will ensure that you have appropriate insurance arrangements in place to cover remote working and the risks that it poses.
Audit and security monitoring
As part of your internal audit programme you will be performing remote audits for remote workers to check that they are operating in line with policy and process. This usually involves a remote interview over camera to view the working practices.
How to pass the audit
To comply with ISO 27001 Annex A 6.7 Remote Working you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Write, sign off, implement and communicate your topic specific policy on remote working
- Write, sign off, implement and communicate your remote working procedures
- Consider the risks of physical security and provide assets that can mitigate the risk such as screen protectors, lockable cupboards, home shredders
- Implement communications technology that allows people to connect, use and communicate in the work environment
- Provide on going training and awareness of the risks and mitigations associated with remote working
- Consider the level to which remote working backup will or will not be implemented
- Ensure that appropriate insurance is in place
- Ensure that work environments meet all health and safety laws as well as local laws and regulations
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
To pass an audit of ISO 27001 Annex A 6.7 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with ISO 27001 Annex A 6.7. Lets go through them
1. That you have conducted audits of remote working
Remote working provides a unique challenge as it allows working in uncontrolled environments. As part of your risk assessment you will have selected the controls that you need based on risk. As part of your governance you will audit those controls based on the risk and at least annually to ensure that they are effective and operating as intended. You will keep records or audit as well as audit report and evidence that the audit reports were communicated to the right people. Where controls were seen to be in effective you will have evidence of continual improvement and risk management to show how you manage the nonconformity.
2. That you have appropriate technical controls in place
Due to the risks associated with remote working you will have evidenced that you have considered and chosen appropriate technologies to mitigate the risks. The audit will check the controls, that they appropriate, proportionate and in control. Evidence of reports, monitors and measures will be examined.
3. That people are aware of their responsibilities
The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.7 Remote Working are
1. You have no evidence that anything actually happened
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans on remote working. For the controls that you have implemented be able to sure the management monitors, reports and metrics. If it isn’t written down it didn’t happen.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to remote working? Do a pre audit as close to the audit as you can that checks the remote workers that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Remote Working FAQ
ISO 27001 Annex A 6.7, Remote Working, is a control within the ISO 27001 standard that addresses the information security risks associated with employees working outside the organisation’s physical premises. It aims to ensure that the same level of information security is maintained regardless of the working location.
The primary objective is to implement appropriate security measures for remote working to protect information and information processing facilities, ensuring the security of the organisation’s assets and compliance with its information security policies.
No, remote working encompasses any scenario where an employee or authorised individual accesses organisational information or systems from a location outside the organisation’s controlled premises. This can include working from home, co-working spaces, client sites, hotels, or during travel.
Key considerations include:
Secure access to organisational systems and data.
Protection of devices used for remote work (laptops, smartphones, tablets).
Physical security of the remote working environment.
Data transfer and storage security.
Awareness and training for remote workers.
Incident management for remote working scenarios.
Organisations should establish a comprehensive remote working policy that covers aspects such as:
Acceptable use of devices and networks.
Procedures for connecting to the corporate network (e.g., VPN).
Guidelines for physical security of the remote workspace.
Data handling and storage rules.
Reporting security incidents.
Responsibilities of remote workers.
Common technological controls include:
Virtual Private Networks (VPNs) for secure network access.
Multi-Factor Authentication (MFA).
Endpoint security solutions (antivirus, anti-malware).
Data encryption (at rest and in transit).
Secure remote access technologies (e.g., VDI – Virtual Desktop Infrastructure).
Regular patching and updates for remote devices.
The human aspect is critical. It involves:
Educating remote workers on information security risks, policies, and best practices.
Clearly defining the security responsibilities of remote employees.
Providing adequate IT support for remote workers to address security concerns or technical issues.
While not in a traditional office, remote workers still need to consider physical security. This includes:
Securing devices (e.g., not leaving laptops unattended in public).
Protecting sensitive documents from unauthorised access at home.
Ensuring the remote workspace is private and secure from prying eyes.
Secure communication channels are vital. This means using encrypted messaging platforms, secure video conferencing tools, and ensuring that sensitive information is not discussed in insecure environments or over unencrypted lines.
Organisations need clear procedures for remote workers to report security incidents immediately. The incident response plan should account for the geographical dispersion of remote workers and the need for remote forensic capabilities.
While not explicitly demanding separate audits, an organisation’s overall internal audit program for ISO 27001 should include an assessment of the effectiveness of controls related to remote working. This might involve reviewing remote access logs, policy compliance, and training records.
If an organisation allows Bring Your Own Device (BYOD) for remote working, Annex A 6.7 mandates specific controls to manage the risks. This includes implementing mobile device management (MDM) solutions, clear policies on data segregation, secure access protocols, and procedures for wiping corporate data from personal devices if an employee leaves or a device is lost.
Controls that can mitigate the risks of remote working include:
1. Screen privacy protectors
2. VPN connection technology
3. End Point Device Management
4. Home Office Shredders
5. Home Office Lockable Storage
6. Two Factor Authentication
The control is important because more and more people are now working remotely. The old traditions of working from an office are being replaced with more flexible working but with more flexible working come more challenges. This control address those challenges by identifying the risks and working on controls that are appropriate to you to mitigate those risks.
If you have remote workers then yes. This is required if people work in a physical environment that you do not control.
The organisation is responsible for drafting and implementing remote working. The organisations IT department is typically responsible for the technical implementation, and the organisation’s human resources department is typically responsible for implementing the processes and engaging with employees. Seek legal advice whether that is internal or external resource.
The challenges of using remote working include:
Having operational oversight of employees
Increased security risks due to the uncontrolled environments worked in
Productivity and time management
There are templates that support ISO 27001 Annex A 6.7 included in the ISO 27001 Toolkit
Yes. You can write the remote working policy for ISO 27001 Annex A 6.7 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.
ISO 27001 templates that support ISO 27001 Annex A 6.7 are part of the ISO 27001 Toolkit
ISO 27001 Annex A 6.7 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.
ISO 27001 Annex A 6.7 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the High Table ISO 27001 Remote Working Policy.
The cost of ISO 27001 Annex A 6.7 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a around £10.
An organization can use third-party services (e.g., cloud-based security solutions, managed IT services) to support remote working security. However, the organization remains ultimately responsible for ensuring that the implemented controls meet the requirements of Annex A 6.7 and its overall ISMS. Due diligence and contractual agreements are essential.
Related ISO 27001 Controls
ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
ISO 27001 Clause 9.2 Internal Audit
ISO 27001 Annex A 5.14 Information Transfer
ISO 27001 Annex A 7.3 Securing Offices, Rooms And Facilities
ISO 27001 Annex A 7.7 Clear Desk And Clear Screen
ISO 27001 Annex A 8.1 User Endpoint Devices
ISO 27001 Annex A 8.7 Protection Against Malware
ISO 27001 Annex A 8.12 Data Leakage Prevention
ISO 27001 Annex A 8.15 Logging
ISO 27001 Annex A 8.16 Monitoring Activities
ISO 27001 Annex A 8.20 Network SecurityISO 27001 Annex A 8.20 Network Security
Further Reading
ISO 27001 Mobile and Remote Working Policy Beginner’s Guide
ISO 27001 Clear Desk Policy: How to Write (& Template)
ISO 27001 Logging and Monitoring Policy: How to Write & Template
ISO 27001 Clear Desk Policy: How to Write (& Template)
ISO 27001 Information Transfer Policy: How to Write (& Template)
External Links
Working Remotely at OFFICIAL and SECRET (GOV UK)
Ministry of Justice Security Guidance Remote Working
Home working: preparing your organisation and staff (National Cyber Security Centre)
ISO 27001 Annex A 6.7 Attributes Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Preventive | Availability Confidentiality Integrity | Protect | Asset Management Information protection Physical security System and Network security | Protection |
