ISO 27001 Annex A 6.7 is about working remotely, which is when you do your job from a place that isn’t the main office. This might be your house, a cafe, or another spot that has good internet. The rule says you must put security steps in place when you work far away from the company’s location. This helps protect the information when it leaves the organisation’s buildings.
Table of contents
What is ISO 27001 Annex A 6.7?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Remote Working”.
What is the ISO 27001 Annex A 6.7 control objective?
The formal definition and control objective in the standard is: “Security measures should be implemented when personnel are working remotely to protect information when it is outside the organisation’s premises.“
What is the purpose of ISO 27001 Annex A 6.7?
The purpose of ISO 27001 Annex A 6.7 is “to ensure the protection of information when it is outside the organisation’s premises.“
Is ISO 27001 Annex A 6.7 Mandatory?
ISO 27001 Annex A control 6.7 (Remote Working in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.7 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Create Your Remote Working Policy
You must write a policy that is just for remote work. This document needs to be clear about a few key things:
- Information Security: You have to make sure that the proper security measures are in place for workers who are operating outside the main office.
- Organisational Needs: Show that the policy actually helps your organization run smoothly and meet its goals.
- Addressing Risks: Demonstrate that the policy deals with the specific security and operational dangers that come from working remotely.
Check Local Rules
Because general advice may not fit every situation, you must check local requirements before you put your policy into practice.
- Local Laws: You must show that what you put into effect follows all the laws in your area.
- Local Regulations: You also need to prove that your policy meets any specific local rules or government orders.
Physical Security
When people work away from the office, you need to think about physical security. This includes having rules and tools like file cabinets that lock, shredders, and ways to handle printers and moving paper items. You also need rules for a clear desk and throwing away old papers or media.
You should think about the person and their job. Do a small check to understand the possible risks they face. Then, put controls in place to lower those risks.
For example, think about printing at home. Not everyone needs to print, but for those who do, you might give them a company printer and a shredder. If a person will handle printed papers like contracts or bank records, you should think about giving them storage that can lock.
People might, but not always, have a home office. You can think about whether it is smart to have a lock on that office door based on what they do and what information they can access. Be smart and sensible about what you do.
Communication Security
You will need to think about how to keep communications safe. This depends on how much people need to use your company systems from far away and how secret the information they use, save, or send is. Your Information Technology (IT) and technical teams will help you decide this.
Remote Access Technology
Think about how you will let people connect to your systems, such as using a Virtual Private Network (VPN) or virtual desktops. You must also think about how you will use protection tools like firewalls and programs that fight computer viruses. Consider how you will set up, manage, and update the devices people use. Your IT teams can help you meet these technology needs.
Unique Unauthorised Access
A special risk with remote work is when friends, family, or people in public places try to look at your work. You might need to put things in place to help with this. People often use privacy screens or are told where best to sit and work in public. You should give people advice on making and taking phone calls, like not talking about secret things in a public spot where others can easily listen.
Training
You will provide training on your policy and rules for working away from the office. This will tell people how to work safely when they are not at the company office.
Backup and Business Continuity
Your plans for backing up information and keeping the company running will need to include remote work and the problems that come with it. Think about things like cell phones and whether you will save copies of the information on them.
Insurance
Something people often forget is insurance. You must make sure you have the right insurance to cover working from home and the dangers that come with it.
Audit and Security Monitoring
As part of your yearly check, you will look at remote workers to make sure they are following the rules and procedures. This is usually done with an interview over video where you can see how they are working.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
You Conduct Audits of Remote Working
Working away from the office creates a special challenge because people work in places you do not control. As part of managing your risks, you chose certain safety measures you felt you needed. To manage this well, you must check those safety measures regularly. You should do this at least once a year, or based on how risky the situation is, to make sure the measures are working as you intended.
You must keep records of these checks and the final reports. You will also need to show that you shared the results of these reports with the right people. If you find that a safety measure is not working well, you must have proof that you took steps to fix the problem and that you used risk management to handle the issues you found.
You Have the Right Technical Safety Measures
Because remote work has certain risks, you must show that you thought about them and chose the right technology to lower those risks. The auditor will look at the tools you use to make sure they are suitable, are the right size for the risk, and are being managed well. They will check for reports, monitoring data, and ways you measure how well these tools are working.
People Know Their Duties
The audit will make sure people know what they are supposed to do. You will need to show that you have written procedures and specific policies for different topics. You must also show that you have shared these rules and that everyone has been trained on what is required of them.
