This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.7 Remote working.
ISO 27001: 2022 Control Description
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
Purpose
To ensure the security of information when staff are working remotely.
Guidance on implementation
Remote working occurs whenever staff of the organisation work from a location outside of the organisation’s premises, accessing information whether in hard copy or electronically via ICT equipment. Remote working environments include those referred to as “teleworking”, “telecommuting”, “flexible workplace”, “virtual work environments”, and “remote maintenance”.
NOTE: It is possible that not all the recommendations in this guidance can be applied due to local legislation and regulations in different jurisdictions.
Organisations allowing remote working should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions. Where applicable, the following matters should be considered:
a) The existing or proposed physical security of the remote working site, taking into account the physical security of the location and the local environment, including the different jurisdictions where personnel are located;
b) Rules and security mechanisms for the remote physical environment, such as lockable filing cabinets, secure transportation between locations, and rules for remote access, clear desk, printing, and disposal of information and other associated assets, as well as information security event reporting;
c) The expected physical remote working environments;
d) The communications security requirements, taking into account the need for remote access to the organisation’s systems, the sensitivity of the information to be accessed and transmitted over the communication link, and the sensitivity of the systems and applications;
e) The use of remote access, such as virtual desktop access that supports the processing and storage of information on privately owned equipment;
f) The threat of unauthorised access to information or resources from other persons at the remote working site (e.g. family and friends);
g) The threat of unauthorised access to information or resources from other persons in public places;
h) The use of home networks and public networks, and requirements or restrictions on the configuration of wireless network services;
i) Use of security measures, such as firewalls and protection against malware;
j) Secure mechanisms for deploying and initialising systems remotely;
k) Secure mechanisms for authentication and enabling access privileges, considering the vulnerability of single-factor authentication mechanisms where remote access to the organisation’s network is permitted.
The guidelines and measures to be considered should include:
a) The provision of suitable equipment and storage furniture for remote working activities, with the use of privately owned equipment not under the organisation’s control being prohibited;
b) A definition of the work permitted, the classification of information that can be held, and the internal systems and services that the remote worker is authorised to access;
c) The provision of training for those working remotely and those providing support, including how to conduct business securely while working remotely;
d) The provision of suitable communication equipment, including methods for securing remote access, such as requirements for device screen locks and inactivity timers, enabling device location tracking, and installation of remote wipe capabilities;
e) Physical security;
f) Rules and guidance on family and visitor access to equipment and information;
g) The provision of hardware and software support and maintenance;
h) The provision of insurance;
i) Procedures for backup and business continuity;
j) Audit and security monitoring;
k) Revocation of authority and access rights and the return of equipment when remote working activities are terminated.