All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Remote working

Annex A control 6.7 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 6.2.2

Control 6.7 instructs organisation on ensuring security access to information and networks when staff work remotely. The control recommends having a policy in place to set clear guidelines, and implementing an information security management system (ISMS) that establishes the procedures for keeping remote access safe and secure.

Remote working has become more widely utilised in the wake of both the digital revolution and the COVID-19 pandemic, enabling employees to work remotely while maintaining productivity.

However, this change comes with its own data protection concerns, and business owners must ensure data remains safe against hackers, criminals and unauthorised persons even outside of the workplace.

The data protection risks of remote working

Without the proper protection, remote working can make companies more vulnerable to hackers, malware and unauthorised data access. It can also have a negative impact on a business’s physical security, and can pose a risk to confidentiality by giving staff access to secret data outside of work time and place.

When personnel work from home, they may be less inclined to pack away their belongings at the end of the day, leaving the privacy of the organisation vulnerable. By its very nature, remote working allows staff to access company information remotely, meaning data is now stored in numerous locations, making it harder to manage and protect.

Why is control 6.7 important?

Control 6.7 has been put in place to ensure that staff can access the necessary controls for their role remotely, while maintaining the integrity, confidentiality and security of business information.

Organisation must ensure information remains protected even when staff are working remotely, issuing a tailored remote working policy that establishes the conditions and limits. This policy should be made known to all staff, and should address:

  • The conditions under which remote working may be carried out
  • The steps to ensure remote workers can access necessary information
  • The steps to ensure information remains protected when transmitted between different physical locations

There should be a clear system in place for reporting incidents, and the policy should also cover firewalls, antivirus software and encryption so that employees have a firm knowledge base of cybersecurity.

Meeting the requirements of control 6.7

The main step involved in meeting the requirements of control 6.7 is establishing a policy about remote working. This policy should be assessed regularly, or when circumstances change. All personnel, contractors and entities involved in remote working should be made aware of this policy. It should cover all the necessary safeguards to protect data when it is sent between locations.

Control 6.7 states that the following factors should be considered:

  • The physical security of the remote working site, including the legal systems of the regions in which staff are housed
  • Physical environment security rules, such as lockable filing cabinets and possessing instructions for disposing of sensitive materials
  • Secure communication methods
  • Remote access techniques and the storage of information on personal devices
  • The dangers of unauthorised access to data by people outside the business, including family members at home, or people in public spaces
  • Home and public networks, and their rules/security levels
  • Security measures like anti-malware protection and firewalls
  • Ensuring systems can be deployed remotely with secure steps
  • Granting access rights through secure authentication mechanisms

Guidelines to be considered

Control 6.7 suggests that the following measures be taken into account:

  • The organisation should supply equipment and storage for remote working
  • The organisation should define the work clearly, classify data that can be held remotely and grant remote access to the relevant materials
  • The organisation should provide training for remote workers, including how to conduct secure business outside the workplace
  • Communication equipment must be provided, like device screen locks and inactivity timers
  • Device location tracking should be put in place
  • Remote wipe capabilities should be installed
  • The location of the remote worker must be deemed suitably secure
  • Rules for family and visitor access should be established
  • Hardware and software support should be provided
  • Insurance should be provided
  • Data backup and business continuity protocol should be established
  • Audits and security monitoring should be carried out periodically
  • Access rights and equipment must be revoked upon termination of remote working activities

What’s changed since 2013?

Although control 6.7 replaces ISO 27001:2013 Annex A control 6.2.2, there are differences between the two. 6.2.2 is referred to as teleworking, while 6.7 uses the more widely recognised term ‘remote working’. The 2022 version outlines what constitutes remote working, including teleworking.

Certain aspects were added into the 2022 version that did not appear in the 2013 control, such as ensuring physical security in the remote workplace, highlighting the risk of unauthorised access from people in public areas, and putting secure mechanisms in place to authenticate and allow access privileges.

Similarly, certain aspects were removed from the 2013 version, including the implementation of home networks and the limitations on configuring wireless network services, prohibition on access to privately owned machinery, and software licensing on workstations privately owned by staff.