Remote Working - ISO 27001 Annex A Control
ISO 27001 Annex A 6.7
The home office is the office for security purposes too.
ISO 27001 Annex A 6.7 - Remote Working
Remote working has gone from exception to baseline for many organisations. The control recognises that information being accessed, processed or stored away from the organisation's premises faces a different risk profile - the network is the home broadband, the physical environment is shared with family or others, and the device may not be under the organisation's full control.
The protection comes from a combination of controls. Technical controls cover the device, the connection and the access - encrypted endpoints, VPN or zero-trust access, multi-factor authentication, mobile device management. Procedural controls cover the working practices - what can be discussed on calls in shared environments, what cannot be printed at home, how paper records are handled, what to do with the device when it is not in use. Awareness training reinforces the practices.
The organisation also needs to think about the boundary cases. Working from public spaces like cafes or hotels carries higher risk than the home office and may need additional controls or restrictions. Travel - particularly international travel - may bring border controls, network restrictions or hostile environments into the picture. The remote working policy should address the spectrum, not just the standard work-from-home case.
Our remote working policy started with a basic work-from-home position and has had to evolve as the patterns changed. People work from cafes, from holiday accommodation, from other countries on extended visits. Each situation has slightly different risks. We have learned to be specific in the policy - what is allowed where, what additional controls apply, what to do if circumstances change.
The audit test is whether the policy reflects how staff actually work and whether the controls land in practice. A pristine policy that says all remote working must be from a dedicated home office with a wired connection is fine on paper, but if half the staff work from coffee shops in reality, the policy is not the operating position. I will look at how the policy translates to actual practice and whether the controls fit.
Practical Compliance Guidance
Remote working arrangements are described in the IMS1 manual at section 8.5 alongside the topic-specific Remote Working Policy and the wider physical and technical controls. The People Security Policy and the device management arrangements support the implementation.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists. |
| PP-8-100 Information Security Policy Procedure | Contains the topic-specific Remote Working Policy alongside the wider information security arrangements. Use as the source document for the remote working rules and the surrounding controls. |
Note - all the above files can be downloaded with an alphaZ subscription.
