ISO 27001 Annex A 6.7 Remote Working

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 6.7 Remote Working

ISO 27001 Remote Working

In this ultimate guide to ISO 27001 Annex A 6.7 Remote Working you will learn

  • What is ISO 27001 Annex A 6.7
  • How to implement ISO 27001 Annex A 6.7

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.7?

ISO 27001 Annex A 6.7 Remote Working is an ISO 27001 Annex A control that wants you to put security measures in place for people working remotely when they process, store or transmit information. As remote working has become more prevalent in recent times there are special considerations that need to be taken into account.


The purpose of ISO 27001 Annex A 6.7 is a preventive control that ensures information security when people are working remotely.


The ISO 27001 standard defines ISO 27001 Annex A 6.7 as:

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation’s premises.

ISO 27001:2022 Annex A 6.7 Remote Working

Implementation Guide

You are going to have to:

  • implement a topic specific policy for remote working
  • ensure that the information security for workers that are operating remotely is in place
  • that what you implement complies with local laws
  • that what you implement complies with local regulations
  • that it meets the needs of the organisation
  • that it addresses the organisational risks

This is whenever people work from a location outside of your organisations premises. This includes the old fashioned terms of teleworking and telecommuting as well as flexible workplace, fully remote, virtual work environment. They all relate, in essence, to the same thing. You will check local laws and regulations as not all recommendations and guidance can be applied every where. It is after all, general guidance.

Topic specific policy for remote working

You will need to implement a topic specific policy for remote working. The topic specific Remote Working Policy Template is ready to go and fast track your implementation jam packed with everything you need.

What are the information security implications of remote working?

The security risks associated with remote working include:

  1. Data breaches
  2. Cyberattacks
  3. Fraud
  4. Employee productivity loss
  5. Employee burnout

How can organisations mitigate the security risks associated with remote working

Organisations can mitigate the security risks associated with remote working by taking a number of steps, including:

  • Implementing a remote working policy
  • Implementing a remote working procedure
  • Providing secure devices and applications to remote workers
  • Ensuring that remote workers use strong passwords and authentication methods
  • Educating remote workers about information security risks
  • Monitoring and auditing remote working activities

Physical security considerations

There are physical security considerations for remote working that include rules and associated mechanisms: such as lockable storage, filing cabinets, shredders, printers, transportation of physical media, clear desk, and disposal of media.

Consider the person and what they are doing, doing a mini risk assessment to understand the risks they are posed and then work to implement controls to mitigate those risks.

Good examples include remote printing. Not everyone will need to remote print but for those that do you can consider providing a company printer as well as a shredder.

Will the person have access to printed information, or letters and correspondence such as bank statements or contracts. Perhaps they will have to keep physical media. In this scenario we would consider providing lockable storage.

It may be the case, but not always, that people will have a home office. We can think about if having a lock is advisable based on what they do and access.

Be sensible and be practical.

Communications Security considerations

Based on the need for remote access to organisation systems and the classification of information to be processed, stored and / or transmitted you will consider the communications security requirements. This will be driven by and in conjunction with your IT and technical teams.

Remote access technology considerations

Consider how the remote access will be implemented such as the use of VPN or virtual desktops. How the protection technology will be implemented such as firewalls and protection against malware. How deploying and initialising, managing and patching of devices will be performed. Technology requirements can be satisfied by engaging with your IT teams.

Unique unauthorised access considerations

Unique to remote working is the threat posed by unauthorised access by friends and family members or from people / persons in public places. There may or may not be measures you need to put in place for this. People consider things like privacy screens or providing guidance on how best to position yourself and work in a public space. Guidance on taking and making calls can be provided that include not having confidential conversations in public places where people can be easily overheard. We have all been on a train when someone reads out their bank details or slags off a colleague on the phone. Don’t be that person.


You will provide training on remote working policy and procedures. This will include guidance on how to work securely in a remote environment.

Backup and business continuity

Your backup and business continuity plans and processes will take into account remote working and the associated challenges. Consider things like mobile devices and if you do in fact back them up, or not.


Often overlooked, you will ensure that you have appropriate insurance arrangements in place to cover remote working and the risks that it poses.

Audit and security monitoring

As part of your internal audit programme you will be performing remote audits for remote workers to check that they are operating in line with policy and process. This usually involves a remote interview over camera to view the working practices.

The challenges of remote working

The challenges of using remote working include:

  • Having operational oversight of employees
  • Increased security risks due to the uncontrolled environments worked in
  • Productivity and time management

Who is responsible for implementing remote working?

The organisation is responsible for drafting and implementing remote working. The organisations IT department is typically responsible for the technical implementation, and the organisation’s human resources department is typically responsible for implementing the processes and engaging with employees. Seek legal advice whether that is internal or external resource.

ISO 27001 Templates

Having an ISO 27001 template for control 6.7 can help fast track your implementation. The ISO 2700 Toolkit is the ultimate resource for your ISO 27001 implementation. The topic specific Remote Working Policy Template is ready to go if you did not want the complete ISO 27001 toolkit.


All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

How to comply

To comply with ISO 27001 Annex A 6.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Write, sign off, implement and communicate your topic specific policy on remote working
  • Write, sign off, implement and communicate your remote working procedures
  • Consider the risks of physical security and provide assets that can mitigate the risk such as screen protectors, lockable cupboards, home shredders
  • Implement communications technology that allows people to connect, use and communicate in the work environment
  • Provide on going training and awareness of the risks and mitigations associated with remote working
  • Consider the level to which remote working backup will or will not be implemented
  • Ensure that appropriate insurance is in place
  • Ensure that work environments meet all health and safety laws as well as local laws and regulations
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

How to pass an audit

To pass an audit of ISO 27001 Annex A 6.7 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.7. Lets go through them

1. That you have conducted audits of remote working

Remote working provides a unique challenge as it allows working in uncontrolled environments. As part of your risk assessment you will have selected the controls that you need based on risk. As part of your governance you will audit those controls based on the risk and at least annually to ensure that they are effective and operating as intended. You will keep records or audit as well as audit report and evidence that the audit reports were communicated to the right people. Where controls were seen to be in effective you will have evidence of continual improvement and risk management to show how you manage the nonconformity.

2. That you have appropriate technical controls in place

Due to the risks associated with remote working you will have evidenced that you have considered and chosen appropriate technologies to mitigate the risks. The audit will check the controls, that they appropriate, proportionate and in control. Evidence of reports, monitors and measures will be examined.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.7 are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans on remote working. For the controls that you have implemented be able to sure the management monitors, reports and metrics. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to remote working? Do a pre audit as close to the audit as you can that checks the remote workers that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO 27001 Annex A 6.7 Remote Working Important?

The control is important because more and more people are now working remotely. The old traditions of working from an office are being replaced with more flexible working but with more flexible working come more challenges. This control address those challenges by identifying the risks and working on controls that are appropriate to you to mitigate those risks.

What are the Benefits of Remote Working?

The main benefit is that it allows you to mitigate the risk of remote working. Remote working poses unique challenges are you do not control the physical environment so the risks needs to be assessed and appropriate controls implemented.

Other than your ISO 27001 certification potentially requiring it, the following are benefits of ISO 27001 Annex A 6.7:

  • Improved Risk: Reduced risk of data breach due to remote working
  • Improved Compliance: Meet the needs of laws and regulations that require remote working controls to be place
  • Reputation Protection: In the event of a breach having effective remote working controls in place will reduce the potential for fines and reduce the PR impact of an event


What are examples of remote working controls?

Controls that can mitigate the risks of remote working include:
1. Screen privacy protectors
2. VPN connection technology
3. End Point Device Management
4. Home Office Shredders
5. Home Office Lockable Storage
6. Two Factor Authentication

Do I have to satisfy ISO 27001 Annex A 6.7 for ISO 27001 Certification?

If you have remote workers then yes. This is required if people work in a physical environment that you do not control.

Are there free templates for ISO 27001 Annex A 6.7?

There are templates for ISO 27001 included in the ISO 27001 Toolkit

ISO 27001 Annex A 6.7 sample PDF?

ISO 27001 Annex A 6.7 Sample PDF is the topic specific ISO 27001 Remote Working Policy

Can I write a topic specific policy for ISO 27001 Remote Working myself?

Yes. You can write the remote working policy for ISO 27001 Annex A 6.7 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.

Where can I get templates for ISO 27001 Annex A 6.7?

ISO 27001 templates for ISO 27001 Annex A 6.7 are part of the ISO 27001 Toolkit

How hard is ISO 27001 Annex A 6.7?

ISO 27001 Annex A 6.7 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.

How long will ISO 27001 Annex A 6.7 take me?

ISO 27001 Annex A 6.7 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the High Table ISO 27001 Remote Working Policy.

How much will ISO 27001 Annex A 6.7 cost me?

The cost of ISO 27001 Annex A 6.7 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a around £10.

Matrix of ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Security domains
ProtectAsset Management
Information protection
Physical security
System and Network security