How do you manage remote access approvals?

Organisations should use a formal request system like Jira. Managers must approve remote working requests before technical access is granted. This creates a clear audit trail of authorisation. It proves that the business manages the risks of remote connectivity.

Can we use SaaS tools for remote working compliance?

Auditors prefer seeing evidence within your native organizational repositories. SaaS compliance platforms often decouple security from daily operations. Use SharePoint and Jira to document remote working procedures. This ensures your internal team maintains ownership of the security process.

ISO 27001:2022 Annex A 6.7 Guide

What is ISO 27001 Annex A 6.7 Remote Working in ISO 27001?

Annex A 6.7 requires documented rules for security in remote working. Organisations must implement controls for off-site locations. Use internal document management systems like SharePoint to store these policies. This ensures staff follow security protocols outside the office. It keeps organisational data protected on remote devices.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS compliance platforms often leads to surface-level security. Auditors prefer seeing remote working evidence within your native SharePoint environment. External dashboards hide the lack of actual management oversight. You must prove you control remote access through internal Jira workflows and manual records. Automated “green ticks” rarely reflect the true culture of remote security. Integrated tools provide the granular audit history required for certification.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Requirement Status
A.6.2.2 Teleworking	A.6.7 Remote Working	Broadened to cover all off-site activities.

How to Implement ISO 27001 Annex A 6.7 Remote Working (Step-by-Step)

Organisations must document the conditions for working at home or off-site locations. Lead with a clear policy integrated into your internal management system. Frame this as a cultural requirement for all remote staff. Use your existing business tools to manage the lifecycle of remote access.

Define the Policy: Store the remote working rules in your SharePoint library.
Setup Jira Workflows: Request remote access through a formal ticket system.
Document Controls: List requirements for VPN use and physical screen security in your Wiki.
Capture Sign-offs: Ensure employees acknowledge remote security duties within internal tools.
Conduct Audits: Review remote connection logs manually to verify compliance with the policy.

ISO 27001 Annex A 6.7 Audit Evidence Checklist

Focus on internal records that demonstrate human oversight. Auditors want to see that the process is active. Avoid using external platform screenshots as your primary evidence.

Remote Working Policy with version history in SharePoint.
Jira tickets documenting the approval of remote access requests.
Employee training records for remote security stored in Confluence.
Signed remote working agreements for all teleworking staff.
Evidence of periodic review for remote access permissions.

Relational Mapping: Clause Inter-dependencies

Clause 8.1: Operational planning for remote security controls.
Annex A 5.10: Acceptable use of assets when working off-site.
Annex A 8.1: User endpoint devices used for remote connection.
Annex A 5.15: Access control for remote systems.

Auditor Interview: Annex A 6.7

Auditor: How do you authorise staff to work from home?

Manager: We use a Jira workflow. The employee requests access and the department head must approve it.

Auditor: Where are the security requirements for their home office defined?

Manager: They are in our SharePoint Remote Working Policy. Staff must complete a self-assessment on our Wiki.

Common Non-Conformities

Failure Mode	Auditor Finding
Automated Complacency	Relying on a SaaS platform dashboard without internal procedural logs.
Ad-hoc Approvals	Staff working remotely without documented management authorisation in Jira.
Lack of Awareness	Remote staff unable to locate the security policy in SharePoint.

Frequently Asked Questions

What is the main goal of Annex A 6.7?

The main goal is protecting organisational information while staff work off-site. You must implement a documented process for remote security. This includes physical and technical controls. Use SharePoint to store these rules. This ensures all remote staff follow the same security standards.

How do we prove management authorisation for remote work?

Use a request system like Jira to log every approval. The auditor will look for a timestamped record. It must show who requested access and who approved it. This proves that remote working is not ad-hoc. It shows the organisation manages its remote risks properly.

Why should we avoid black-box SaaS compliance tools?

Black-box tools decouple security from your actual business operations. They offer generic “green ticks” that lack context. Auditors prefer seeing evidence in your native repositories like SharePoint. This demonstrates that your team actively manages the ISMS. It proves the management system is integrated into the business.

LA CASA DE CERTIFICACIÓN