How to Implement ISO 27001 Annex A 6.7 Remote Working
The modern workplace has changed. We no longer sit in a single office behind a secure perimeter. Your team likely works from home, coffee shops, or on the train. This flexibility is great for productivity but creates a headache for information security. This is where ISO 27001 Annex A 6.7 comes into play. It deals specifically with remote working.
As a certification body, we see many organisations struggle here. They often assume that standard office controls apply everywhere. That is rarely the case. We want to guide you through exactly how to implement this control and what we expect to see when we visit you for an audit. You can find more templates and resources at ISO27001.com to help you speed up this process.
Table of contents
Understanding Annex A 6.7
The primary goal of this control is simple. You must ensure the security of information when your personnel work remotely. It does not matter if they are at home or in a hotel. The risks are higher when you leave the office. You lose physical control over the environment. You often rely on networks you do not own.
We expect you to define rules and provide technology to protect data in these uncontrolled spaces. If you ignore this, you leave a massive gap in your Information Security Management System (ISMS).
Create a Remote Working Policy
The first thing we look for is a clear policy. You cannot simply tell staff to be careful. You must write down the rules. This policy should authorise remote work and define the conditions for it. You need to decide who is allowed to work remotely and when.
Your policy needs to cover physical security. Can staff leave laptops in cars? Can they work in a public library where screens are visible? You should clearly state that family members must not use business devices. This is a common finding during our audits. A clear policy prevents ambiguity.
Secure the Physical Environment
We know you cannot inspect every employee’s home. However, you must educate them on physical security. You should require a clear desk policy at home just as you would in the office. Confidential papers should not be left on a dining table.
You should also consider theft. We expect you to instruct staff to keep doors locked and devices secure when not in use. If a device is stolen from a car or a home, encryption is your last line of defence. Ensure all hard drives on portable devices are encrypted. We will check for this evidence.
Implement Technical Controls
Technology plays a vital role in Annex A 6.7. You cannot rely on the security of a home Wi-Fi router. We expect you to provide a Virtual Private Network (VPN) or similar secure connection. This ensures that data moving between the remote worker and your servers is encrypted.
You must also consider access control. Multi-factor authentication (MFA) is essential for remote access. Passwords alone are often not enough when the connection comes from the internet. We look for these technical barriers to ensure only the right people access your systems.
Manage the Human Element
Your staff are your biggest risk and your best defence. You need to train them. A policy is useless if nobody reads it. You should run awareness sessions specifically about remote risks. Teach them about the dangers of using public Wi-Fi without a VPN. Teach them to spot phishing emails which often target remote workers.
We often interview staff during an audit. We might ask them what they do if they lose their laptop. We want to hear that they know the reporting procedure. If they hesitate, it suggests your implementation is weak.
What the Auditor Will Check
When we come to audit you, we look for evidence. We do not just take your word for it. We will review your remote working policy to ensure it aligns with ISO 27001 standards. We will look at your risk assessment to see if you considered the specific threats of working away from the office.
We might ask to see logs that show remote connections are secured. We check if you have provided suitable equipment. Using personal devices for work brings its own set of risks known as BYOD. If you allow this, we expect even stricter controls to separate work data from personal data.
Continuous Improvement
Security is not a one-time task. As technology changes, so do the risks. You should review your remote working rules regularly. If you adopt new software or if staff start working from different countries, you need to update your approach. We look for signs that your ISMS is living and breathing, not just a static document.
Implementing Annex A 6.7 properly protects your business and makes your audit much smoother. It shows us that you take security seriously, no matter where your staff are located. For detailed guides and toolkits to help you pass your audit, visit ISO27001.com.