ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

Home / ISO 27001 Templates / ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

In this guide, you will learn what an ISO 27001 Mobile and Remote Working Policy Beginner’s Guide is, how to write it yourself and I give you a template you can download and use right away.

ISO 27001 Mobile and Remote Working Policy Beginner’s Guide
What is an ISO 27001 Mobile and Remote Working Policy?
How to write an ISO 27001 mobile and remote working policy
ISO 27001 Mobile and Remote Working Policy Template
ISO 27001 Mobile and Remote Working Policy Example
ISO 27001 Mobile and Remote Working Policy FAQ

What is an ISO 27001 Mobile and Remote Working Policy?

The ISO 27001 Mobile and Teleworking Policy is used to manage the risks introduced by using mobile devices and to protect information accessed, processed and stored at teleworking sites. Mobile device registration, assigned owner responsibilities, Mobile Firewalls, Remote Wipe and Back up are covered in this policy.

This is also the Remote Working policy. Remote working is becoming more common place. Whether working from home or virtual offices people are spending less time in the main company office. The policy will address the potential risks that this poses to information security.

It is one of the ISO 27001 policies required by the ISO 27001 standard for ISO 27001 certification.

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

How to write an ISO 27001 mobile and remote working policy

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 mobile and remote working policy

Include a Purpose Statement
To manage the risks introduced by using mobile devices and to protect information accessed, processed and stored at teleworking sites.
Include a Scope Statement
All company employees and external party users.
All company mobile devices.
All personal devices used to access, process or store company information.
Include a Principle Statement
Mobile devices and remote sites are to have adequate protection of company information.
Include an Overview Statement
The policy includes the popular Bring Your Own Device Policy, often abbreviated to BYOD. There are considerations for data protection and GDPR. The policy is not designed to prevent employees from flexible working, rather it is intended to protect the information assets of the business in a practical and pragmatic way. Where possible it would be good practice for mobile devices that connect to confidential business data to be provided by, and managed by, the business. These would be managed by the asset management process and covered by the asset management policy.
Write content for the required sections
The required sections are:
Mobile Device Registration
Mobile Device Assigned Owner Responsibilities
Mobile Device Firewall
Mobile Remote Wipe
Mobile Back Up
Teleworking / Remote Working Policy
Bring Your Own Device Policy ( BYOD )
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Describe Mobile Device Registration
Mobile devices are recorded in the asset register.
Mobile devices are assigned to a named individual.
Assigned owners are provided with a copy of the Mobile and Teleworking policy and informed of their responsibility for the device and the information contained on it.
Mobile devices have appropriate encryption, anti-virus and access control installed where available.
Set out Mobile Device Assigned Owner Responsibilities
Assigned owners are personally responsible for the device.
To ensure operating system and application patching is up to date.
To ensure encryption and antivirus where installed is enabled.
To ensure the device is not left unattended and when not in use physically secured.
To only access company information required for role in line with the Access Control Policy.
To not install software or change the device that would be in breach of the company information security policy, regulations, or applicable legislation.
Personal and confidential data is not stored on the device unless authorised and recorded in the asset register.
To not allow others including family members to access or use the assigned device.
To return the mobile device when no longer required, when requested or when leaving the company employment.
Describe the Mobile Device Firewall
Any mobile device connecting to payment card cardholder data environment must have a personal firewall installed and configured.
The personal firewall software must be configured to specific documented configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices.
Lay out Mobile Remote Wipe
Mobile devices are enabled to have their contents remotely wiped in the event of loss or theft. This feature is enabled prior to the user being given access to the mobile device and mobile devices have their automatic lockout enabled.
Describe Mobile Back Up
Mobile devices are not backed up by default to company back up solutions and is the responsibility of the assigned user.
Write your Bring Your Own Device Policy (BYOD)
It is not the company policy to allow ‘bring your own device’ or use of personal mobile devices by default. Authorisation is required from the information security management team, the management review team, or the information security manager.
Where a personal mobile device is allowed
The mobile device is recorded in the asset register.
The user receives training and signs an acknowledgement of responsibility.
All company policies including access control and the information security policy apply.
The same policy for mobile devices, the Mobile Device Policy, apply.
No personal data or sensitive data as defined by the GDPR, or Data Protection Act 2018 are to be stored on the device.
Set out Policy Compliance
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

ISO 27001 Mobile and Remote Working Policy Template

Download Mobile and Remote Working Policy

ISO 27001 Mobile and Remote Working Policy Example

ISO 27001 Mobile And Remote Working Policy Example 3

ISO 27001 Mobile And Remote Working Policy Example 4

ISO 27001 Mobile and Remote Working Policy FAQ

Can I use my own device at work?

Yes. Technically this is possible. It is about risk mitigation. Restricting access to confidential and sensitive data based on role based access in addition to having technical controls on the device will reduce the risk.

Is BYOD, Bring Your Own Device and the Mobile and Teleworking Policy the same thing?

Yes. They all cover the same topics.

My manager wants an iPad in breach of policy. Is that allowed?

A policy is a statement of what you do. A policy is flexible enough to cover exceptions. By using compensating controls this can be perfectly fine. You would record the exception and authorise it via the Management Review Team meeting. Examples of compensating controls include: role based access, signing a waiver and acceptance, additional technical controls, regular device audit.

ISO 27001 Policy Templates

Stop Spanking £10,000s on consultants and ISMS online-tools.

ISO 27001 Toolkit

About the author

I am Stuart Barker the ISO 27001 Ninja.

You can connect with me on Linked In, stalk me, check me out and join my network.

I am an information security practitioner of over 30 years. I hold a Software Engineering degree and started my career in software development. In 2010 I started my first cyber security consulting business that I sold in 2018. I worked for over a decade for GE, leading a data governance team across Europe and since then have gone on to deliver hundreds of client engagements and audits.

I regularly mentor and train professionals on information security and run a successful ISO 27001 YouTube channel where I show people how they can do it themselves. I am passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In my personal life I am active and a hobbyist kickboxer.

My specialisms are ISO 27001 and SOC 2 and my niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

ISO 27001 Mobile and Remote Working Policy Beginner’s Guide

Table of contents

What is an ISO 27001 Mobile and Remote Working Policy?

How to write an ISO 27001 mobile and remote working policy

ISO 27001 Mobile and Remote Working Policy Template

ISO 27001 Mobile and Remote Working Policy Example

ISO 27001 Mobile and Remote Working Policy FAQ

About the author

Free 30 minute ISO27001 strategy session.