ISO 27001 Mobile and Remote Working Policy Explained + Template

A Mobile and Remote Working Policy is used to manage the risks that come with using mobile devices and to keep your information safe when you’re working away from the office. This policy covers things like registering your mobile devices, outlining your responsibilities as the device owner, and using mobile firewalls, remote wipe, and backup tools.

This is also your Remote Working policy. Working remotely is becoming more common, and you might find yourself spending less time at the main company office, whether you’re at home or in a virtual one. This policy will help you address the potential risks that this poses to your information security.

What is it?

An ISO 27001 Mobile and Remote Working Policy is your simple guide to the rules for working from home or on the go. It’s a set of rules and guidelines that make sure you’re keeping company information safe and sound, no matter where you’re working from. Think of it as a safety plan for your laptop and phone when you’re not in the office. This policy helps your company protect its valuable data from cyber threats, like hackers or data leaks, by making sure you know the do’s and don’ts of remote work.

Applicability to different business types

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

• Small Businesses: You can make your remote work secure and professional without a huge IT team. This policy helps you set clear expectations for employees, so everyone is on the same page about what’s safe and what’s not.
• Tech Startups: You’re all about innovation, and your team is likely working from all over the place. This policy is key to protecting your intellectual property and client data from the get-go. It shows clients you take security seriously.
• AI Companies: Your data is your most valuable asset. A strong remote working policy is crucial to prevent the loss or theft of the massive datasets you use to train your models. It’s about protecting your competitive edge.

ISO 27001 Mobile and Remote Working Policy Template

Using a template is like getting a head start on a project. You can find pre-made ISO 27001 Mobile and Remote Working Policy templates online. They’re already structured to meet the ISO 27001 standard, so you just need to fill in your company’s specific details. This saves you a ton of time and ensures you don’t miss any important security steps.

Why you need it

You need this policy to keep your company’s sensitive information safe. Without it, you’re leaving a lot to chance. Hackers are always looking for weak spots, and a remote worker’s home network can be an easy target. This policy helps you plug those security holes and build a culture of security among your team. It also shows your customers and partners that you’re serious about protecting their data, which can build trust and lead to more business.

When you need it

You need this policy as soon as your employees start working remotely, even if it’s just for a day. The minute a company device leaves the office, the risk goes up. This policy should be in place before you let people work from home full-time, use their personal devices for work, or access company data on the go.

Who needs it

Everyone in your company needs this policy! From the CEO to the newest intern, anyone who works remotely or uses a mobile device for work needs to follow these rules. It’s a team effort to keep the company’s data safe. The IT department will manage the policy, but every single employee is responsible for following it.

Where you need it

You need this policy to cover any place outside of your main office. This includes your employees’ homes, coffee shops, hotel rooms, and even airports. Basically, anywhere you or your team might be working from, this policy applies.

How to write it

Writing this policy is all about being clear and simple.

1. Start with the basics: Explain the purpose of the policy and who it applies to.
2. Define the rules: Lay out the do’s and don’ts. For example, use strong passwords, connect to a secure Wi-Fi, and don’t leave your devices unlocked.
3. Cover security measures: Talk about things like encryption, firewalls, and using a VPN (Virtual Private Network).
4. Include what happens if something goes wrong: Explain the process for reporting a lost device or a security incident.
5. Keep it easy to read: Use simple language so everyone can understand and follow the rules without a problem.

How to implement it

Putting the policy into practice is the most important part.

1. Share it widely: Make sure every employee has a copy of the policy.
2. Train your team: Hold a training session to walk everyone through the policy and answer their questions.
3. Get signatures: Ask employees to sign a document saying they’ve read and agree to follow the policy.
4. Enforce it: Make sure everyone is actually following the rules. Use tools to check for things like strong passwords and up-to-date software.
5. Review and update: Technology and threats change all the time. Review the policy at least once a year to make sure it’s still current.

Examples of Using It for Small Business

Imagine your marketing team works from home every Friday. The policy would say they must use a password-protected Wi-Fi network and keep their work laptops updated with the latest software. If one of them accidentally leaves their laptop on the train, the policy would guide them to immediately report it so you can remotely lock the device.

Examples of Using It for Tech Startups

Your team of developers works from a co-working space. Your policy would require them to use a VPN to connect to the company’s network. It would also specify that they can’t use public USB charging stations and must use two-factor authentication on all their accounts. This protects your valuable code from being stolen.

Examples of Using It for AI Companies

Your data scientists are at a conference and need to access your secure data lake. Your policy would state they must connect through a company-approved VPN and can only use company-issued, encrypted laptops. The policy would also prohibit downloading sensitive datasets to personal devices, keeping your intellectual property safe.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is like a cheat sheet for getting certified. It gives you a bunch of pre-written documents, including a mobile and remote working policy. Using a toolkit is great because it means you don’t have to start from scratch. You can be confident that your policy meets all the necessary standards without doing all the hard work yourself.

Information security standards that need it

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• DORA (Digital Operational Resilience Act)
• NIS2 (Network and Information Security (NIS) Directive) 
• SOC 2 (Service Organisation Control 2)
• NIST (National Institute of Standards and Technology) 
• HIPAA (Health Insurance Portability and Accountability Act)

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has specific controls that your policy helps you meet.

• ISO 27001:2022 Annex A 6.7: Remote Working
• ISO 27001:2022 Annex A 7.5: Protecting Against Physical and Environmental Threats
• ISO 27001:2022 Annex A 7.7: Clear Desk And Clear Screen
• ISO 27001:2022 Annex A 8.9: Configuration Management
• ISO 27001:2022 Annex A 8.16: Monitoring Activities

ISO 27001 Mobile and Remote Working Policy Example

An example ISO 27001:2022 Mobile and Remote Working Policy:

ISO 27001 Mobile and Remote Working Policy FAQ

1. What’s the difference between remote and mobile working? Remote working is from a fixed location like a home office, while mobile working is on the move, like in a cafe.
2. Can I use my personal laptop for work? The policy will tell you. It often requires specific security software on personal devices.
3. What is a VPN? It’s a Virtual Private Network. It creates a secure, encrypted tunnel for your internet connection.
4. Why can’t I use public Wi-Fi? Public Wi-Fi is often unsecured, making it easy for hackers to steal your data.
5. What do I do if my work laptop is stolen? Report it immediately to your manager and the IT team.
6. Do I need a strong password? Yes! A long and complex password is your first line of defense.
7. What is two-factor authentication? It’s an extra security step where you need a second code to log in, often from your phone.
8. Who is responsible for my home network security? You are. The policy will likely ask you to have a secure, password-protected network.
9. Should I use a screen lock? Yes, always. Your device should lock automatically after a few minutes of inactivity.
10. Do I need to encrypt my hard drive? The policy might require it to protect your data in case your device is lost.
11. How often should I update my software? As soon as updates are available. They often contain important security fixes.
12. Can I print company documents at home? The policy will have rules about this, as physical documents can also be a security risk.
13. Is it okay to work in a coffee shop? You can, but the policy will have strict rules about how to do it safely, like using a screen privacy filter.
14. What if my child uses my work computer for games? The policy will forbid this, as it can introduce malware or other risks.
15. How can I tell if a website is secure? Look for “https://” at the beginning of the website address and a padlock icon in your browser.