If there is one thing that has fundamentally changed the way we work since the last major ISO update, it is the shift to working from anywhere. When ISO 27001:2013 was released, “teleworking” was often a perk for a small group of employees. Today, remote work is a standard operational model. To reflect this reality, the 2022 update moved and refined the rules for securing off-site work under Annex A 6.7: Remote Working.
Table of contents
The Evolution from 6.2.2 to 6.7
In the ISO 27001:2013 version, the requirements for working away from the office were found under Control 6.2.2, titled “Teleworking.” It was grouped in a small domain alongside mobile device security. At the time, the focus was largely on the technical setup of a home office and ensuring that a VPN was in place.
In the 2022 update, this has been reclassified as Annex A 6.7 and moved into the People Controls theme. While the change might look like simple renumbering, the shift to “People Controls” is significant. According to the experts at Hightable.io, this indicates that remote working is no longer just a technical networking challenge, it is a human-centric risk that requires specific policies, training, and behavioral standards to keep data safe when it leaves the physical perimeter of the office.
“Teleworking” vs. “Remote Working”
The change in terminology from “Teleworking” to “Remote Working” isn’t just semantics. In the 2013 era, teleworking generally referred to a fixed alternative location, like a dedicated home office. Remote Working in the 2022 version is a much broader term. It encompasses working from cafes, hotels, co-working spaces, and even while traveling.
This expansion means that your 6.7 controls must account for a wider range of threats, such as “shoulder surfing” in public places, the use of insecure public Wi-Fi, and the physical security of devices in transit. As Hightable.io points out, the 2022 version expects your remote working policy to be “location-agnostic,” focusing on the security of the information rather than just the physical walls of a home office.
What is New in the Implementation Guidance?
The 2022 version of the standard provides more detailed guidance on how to secure a distributed workforce. If you are transitioning from the 2013 version, you’ll notice a stronger emphasis on several key areas:
- Physical Security of Remote Sites: You are now expected to address the physical environment where work happens. This includes guidelines on lockable filing cabinets for sensitive paperwork and ensuring family members or roommates cannot access work devices.
- Secure Communication: There is a much heavier focus on encryption. While 2013 mentioned secure communication, the 2022 update expects robust implementations like Multi-Factor Authentication (MFA) and Zero Trust principles to be part of the remote access conversation.
- Bring Your Own Device (BYOD): The 2022 implementation guidance for 6.7 is more explicit about managing personal devices. If your staff uses their own laptops or phones, you must have clear rules regarding software licensing, remote wipe capabilities, and the separation of personal and business data.
The Introduction of Attributes
Like all controls in the 2022 version, Annex A 6.7 now includes “Attributes.” This new metadata system helps you categorize the control’s function. Control 6.7 is officially tagged as a Preventive control.
By using these attributes, organizations can better align their remote working security with broader cybersecurity concepts like “Protect.” Hightable.io suggests that these attributes make it easier for security managers to map their remote work controls directly to risk assessments, showing auditors exactly which “People” risks are being mitigated by the remote working policy.
What Will an Auditor Look For?
Transitioning to the 2022 standard means an auditor will expect a more comprehensive evidence trail than they did in 2013. They will likely look for:
- A Specific Remote Working Policy: A documented policy that defines who can work remotely, which jurisdictions are allowed, and what technical controls are mandatory.
- Evidence of MFA: Proof that Multi-Factor Authentication is enforced for all remote access points.
- Risk Assessments: Evidence that you have specifically assessed the risks of your remote work setup (e.g., home Wi-Fi security or data storage on local drives).
- Training Records: Confirmation that remote workers have received targeted awareness training on the risks of working in public or unmanaged environments.
Why the Transition to 6.7 Matters
The move to Annex A 6.7 reflects a world where the “office” is wherever there is a Wi-Fi signal. By treating remote work as a primary People Control, ISO 27001:2022 forces organizations to move beyond basic IT setup and toward a culture of secure mobility.
As suggested by Hightable.io, the best way to handle this transition is to update your “Mobile and Teleworking Policy” into a modern “Remote Working Framework.” This doesn’t just satisfy the requirements of the new standard; it builds a foundation of trust that allows your business to stay flexible and productive without sacrificing security.