I am going to show you what ISO 27001 Annex A 6.7 Remote Working is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
Table of contents
- What is ISO 27001 Annex A 6.7 Remote Working?
- ISO 27001 Annex A 6.7 Remote Working Implementation Guide
- ISO 27001 Annex A 6.7 Templates
- How to comply with ISO 27001 Annex A 6.7
- How to pass an audit of ISO 27001 Annex A 6.7
- What will an audit check?
- Top 3 Mistakes People Make for ISO 27001 Annex A 6.7
- Why is ISO 27001 Annex A 6.7 Remote Working Important?
- What are the Benefits of Remote Working?
- ISO 27001 Annex A 6.7 FAQ
- Get the Help of the ISO 27001 Ninja
- Matrix of ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 6.7 Remote Working?
ISO 27001 Annex A 6.7 Remote Working is an ISO 27001 control that wants you to put security measures in place for people working remotely when they process, store or transmit information. As remote working has become more prevalent in recent times there are special considerations that need to be taken into account.
ISO 27001 Annex A 6.7 Purpose
Annex A 6.7 is a preventive control that ensures information security when people are working remotely.
ISO 27001 Annex A 6.7 Definition
The ISO 27001 standard defines ISO 27001 Annex A 6.7 as:
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation’s premises.ISO 27001:2022 Annex A 6.7 Remote Working
ISO 27001 Annex A 6.7 Remote Working Implementation Guide
You are going to have to:
- implement a topic specific policy for remote working
- ensure that the information security for workers that are operating remotely is in place
- that what you implement complies with local laws
- that what you implement complies with local regulations
- that it meets the needs of the organisation
- that it addresses the organisational risks
This is whenever people work from a location outside of your organisations premises. This includes the old fashioned terms of teleworking and telecommuting as well as flexible workplace, fully remote, virtual work environment. They all relate, in essence, to the same thing. You will check local laws and regulations as not all recommendations and guidance can be applied every where. It is after all, general guidance.
Topic specific policy for remote working
You will need to implement a topic specific policy for remote working. The topic specific Remote Working Policy Template is ready to go and fast track your implementation jam packed with everything you need.
What are the information security implications of remote working?
The security risks associated with remote working include:
- Data breaches
- Employee productivity loss
- Employee burnout
How can organisations mitigate the security risks associated with remote working
Organisations can mitigate the security risks associated with remote working by taking a number of steps, including:
- Implementing a remote working policy
- Implementing a remote working procedure
- Providing secure devices and applications to remote workers
- Ensuring that remote workers use strong passwords and authentication methods
- Educating remote workers about information security risks
- Monitoring and auditing remote working activities
Physical security considerations
There are physical security considerations for remote working that include rules and associated mechanisms: such as lockable storage, filing cabinets, shredders, printers, transportation of physical media, clear desk, and disposal of media.
Consider the person and what they are doing, doing a mini risk assessment to understand the risks they are posed and then work to implement controls to mitigate those risks.
Good examples include remote printing. Not everyone will need to remote print but for those that do you can consider providing a company printer as well as a shredder.
Will the person have access to printed information, or letters and correspondence such as bank statements or contracts. Perhaps they will have to keep physical media. In this scenario we would consider providing lockable storage.
It may be the case, but not always, that people will have a home office. We can think about if having a lock is advisable based on what they do and access.
Be sensible and be practical.
Communications Security considerations
Based on the need for remote access to organisation systems and the classification of information to be processed, stored and / or transmitted you will consider the communications security requirements. This will be driven by and in conjunction with your IT and technical teams.
Remote access technology considerations
Consider how the remote access will be implemented such as the use of VPN or virtual desktops. How the protection technology will be implemented such as firewalls and protection against malware. How deploying and initialising, managing and patching of devices will be performed. Technology requirements can be satisfied by engaging with your IT teams.
Unique unauthorised access considerations
Unique to remote working is the threat posed by unauthorised access by friends and family members or from people / persons in public places. There may or may not be measures you need to put in place for this. People consider things like privacy screens or providing guidance on how best to position yourself and work in a public space. Guidance on taking and making calls can be provided that include not having confidential conversations in public places where people can be easily overheard. We have all been on a train when someone reads out their bank details or slags off a colleague on the phone. Don’t be that person.
You will provide training on remote working policy and procedures. This will include guidance on how to work securely in a remote environment.
Backup and business continuity
Your backup and business continuity plans and processes will take into account remote working and the associated challenges. Consider things like mobile devices and if you do in fact back them up, or not.
Often overlooked, you will ensure that you have appropriate insurance arrangements in place to cover remote working and the risks that it poses.
Audit and security monitoring
As part of your internal audit programme you will be performing remote audits for remote workers to check that they are operating in line with policy and process. This usually involves a remote interview over camera to view the working practices.
What are the challenges of remote working?
The challenges of using remote working include:
- Having operational oversight of employees
- Increased security risks due to the uncontrolled environments worked in
- Productivity and time management
Who is responsible for implementing remote working?
The organisation is responsible for drafting and implementing remote working. The organisations IT department is typically responsible for the technical implementation, and the organisation’s human resources department is typically responsible for implementing the processes and engaging with employees. Seek legal advice whether that is internal or external resource.
ISO 27001 Annex A 6.7 Templates
Having an ISO 27001 template for control 6.7 can help fast track your implementation. The ISO 2700 Toolkit is the ultimate resource for your ISO 27001 implementation. The topic specific Remote Working Policy Template is ready to go if you did not want the complete ISO 27001 toolkit.
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
How to comply with ISO 27001 Annex A 6.7
To comply with ISO 27001 Annex A 6.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Write, sign off, implement and communicate your topic specific policy on remote working
- Write, sign off, implement and communicate your remote working procedures
- Consider the risks of physical security and provide assets that can mitigate the risk such as screen protectors, lockable cupboards, home shredders
- Implement communications technology that allows people to connect, use and communicate in the work environment
- Provide on going training and awareness of the risks and mitigations associated with remote working
- Consider the level to which remote working backup will or will not be implemented
- Ensure that appropriate insurance is in place
- Ensure that work environments meet all health and safety laws as well as local laws and regulations
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
How to pass an audit of ISO 27001 Annex A 6.7
To pass an audit of ISO 27001 Annex A 6.7 you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas for compliance with Annex A 6.7. Lets go through them
1. That you have conducted audits of remote working
Remote working provides a unique challenge as it allows working in uncontrolled environments. As part of your risk assessment you will have selected the controls that you need based on risk. As part of your governance you will audit those controls based on the risk and at least annually to ensure that they are effective and operating as intended. You will keep records or audit as well as audit report and evidence that the audit reports were communicated to the right people. Where controls were seen to be in effective you will have evidence of continual improvement and risk management to show how you manage the nonconformity.
2. That you have appropriate technical controls in place
Due to the risks associated with remote working you will have evidenced that you have considered and chosen appropriate technologies to mitigate the risks. The audit will check the controls, that they appropriate, proportionate and in control. Evidence of reports, monitors and measures will be examined.
3. That people are aware of their responsibilities
The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.
Top 3 Mistakes People Make for ISO 27001 Annex A 6.7
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.7 are
1. You have no evidence that anything actually happened
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans on remote working. For the controls that you have implemented be able to sure the management monitors, reports and metrics. If it isn’t written down it didn’t happen.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to remote working? Do a pre audit as close to the audit as you can that checks the remote workers that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO 27001 Annex A 6.7 Remote Working Important?
The control is important because more and more people are now working remotely. The old traditions of working from an office are being replaced with more flexible working but with more flexible working come more challenges. This control address those challenges by identifying the risks and working on controls that are appropriate to you to mitigate those risks.
What are the Benefits of Remote Working?
The main benefit is that it allows you to mitigate the risk of remote working. Remote working poses unique challenges are you do not control the physical environment so the risks needs to be assessed and appropriate controls implemented.
Other than your ISO 27001 certification potentially requiring it, the following are benefits of ISO 27001 Annex A 6.7:
- Improved Risk: Reduced risk of data breach due to remote working
- Improved Compliance: Meet the needs of laws and regulations that require remote working controls to be place
- Reputation Protection: In the event of a breach having effective remote working controls in place will reduce the potential for fines and reduce the PR impact of an event
ISO 27001 Annex A 6.7 FAQ
There are templates for ISO 27001 included in the High Table ISO 27001 Toolkit
ISO 27001 Annex A 6.7 Sample PDF is the topic specific ISO 27001 Remote Working Policy
If you have remote workers then yes. This is required if people work in a physical environment that you do not control.
Yes. You can write the remote working policy for ISO 27001 Annex A 6.7 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.
ISO 27001 templates for ISO 27001 Annex A 6.7 are part of the High Table ISO 27001 Toolkit
ISO 27001 Annex A 6.7 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.
ISO 27001 Annex A 6.7 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the High Table ISO 27001 Remote Working Policy.
The cost of ISO 27001 Annex A 6.7 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a around £10.
Controls that can mitigate the risks of remote working include:
1. Screen privacy protectors
2. VPN connection technology
3. End Point Device Management
4. Home Office Shredders
5. Home Office Lockable Storage
6. Two Factor Authentication
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.
Matrix of ISO 27001 Controls and Attribute values
System and Network security