Buy the 27001 Toolkit

ISO 27001 Control 6.7: Remote Working

How to Make Remote Working Secure Without Killing Productivity

ISO 27001 Control 6.7 Remote working recognises that work no longer happens only in offices and data centres. People work from home, cafés, co-working spaces, trains – and they still access your systems and data.

That flexibility is great for productivity and wellbeing, but it also expands your attack surface. Control 6.7 is about making sure remote working is deliberate and controlled, not just “we let people log in from home and hope for the best”.

This guide explains what ISO 27001 Control 6.7 is really asking for, and how to design a practical remote working policy that keeps information secure without making staff’s lives miserable.

What ISO 27001 Control 6.7 Actually Requires

In plain English, ISO 27001 Control 6.7 – Remote working expects you to:

  • Define clear rules and conditions for remote working in a topic-specific remote working policy.
  • Protect information that is accessed, processed, or stored outside your premises.
  • Address physical, technical and procedural risks linked to remote working.
  • Make sure remote workers and support teams understand what’s expected of them.

This isn’t just about giving people a VPN. ISO 27001 Control 6.7 wants you to think through:

  • Where people work
  • What they access
  • On which devices and networks
  • How you monitor and support them

…and then put sensible controls around all of that.

Step 1 – Define When Remote Working Is Allowed (and When It Isn’t)

Start by being clear on where remote working is permitted and under what conditions. Your remote working policy should answer:

  • Who is allowed to work remotely (all staff, certain roles, by manager approval)?
  • From which locations (home only, co-working spaces, customer sites, public areas)?
  • What types of information can be accessed remotely (internal only, confidential, personal data, production systems)?
  • Under what network and device conditions (corporate devices only, approved home networks, no public Wi-Fi without a VPN)?

This helps you avoid the default of “remote working is allowed everywhere, for everything, on anything”.

For ISO 27001 Control 6.7, it’s important you can show:

  • A documented remote working policy.
  • Clear conditions and restrictions, not just generic statements.

Step 2 – Address Physical Security for Remote Working

Remote working moves your risk out of controlled office spaces and into homes and public places.

Your remote working policy for ISO 27001 Control 6.7 should cover physical security such as:

  • Work area setup
    – Screens positioned so they can’t be easily overlooked
    – Use of privacy filters where appropriate
    – Avoiding work with sensitive data in very public settings
  • Secure storage
    – Lockable drawers or filing cabinets for documents and removable media
    – Rules for never leaving laptops or paper unattended in cars or shared areas
  • Clear screen and clear desk
    – Lock devices whenever they’re left unattended
    – Avoid printing unless necessary, and define how printouts are stored and disposed of
  • Transport of assets
    – How devices and documents should be carried between locations
    – What to do if something is lost or stolen (reporting and escalation)

You don’t need to turn everyone’s spare bedroom into a secure bunker, but ISO 27001 Control 6.7 expects you to show that physical risks have been considered and managed.

Step 3 – Secure Communications and Remote Access

Remote working often means accessing internal systems over the public internet. Control 6.7 expects you to secure those connections properly.

Your remote working arrangements should cover:

  • Secure remote access methods
    – VPN, virtual desktop infrastructure (VDI), or secure remote access gateways
    – Strong encryption for data in transit
  • Authentication
    – Multi-factor authentication (MFA) as standard for remote access
    – Avoid single-factor authentication (password only) wherever possible
  • Restrictions on device types
    – Prefer (or require) corporate-managed devices for remote working
    – If you allow BYOD, have clear conditions and additional controls (MDM, containerisation, etc.)
  • Email and collaboration tools
    – Rules on using corporate accounts vs personal accounts
    – Guidance on sharing files and information (e.g. approved collaboration platforms only)

ISO 27001 Control 6.7 doesn’t force you into a specific technical solution, but auditors will expect to see remote access designed with security in mind, not just opened up “temporarily” and never reviewed.

Step 4 – Lock Down Networks and Devices Used for Remote Working

When people connect from home or on the move, you lose direct control over the network. Control 6.7 expects you to push security out to the endpoint and the connection.

Your remote working policy and technical standards should require:

  • Endpoint protection
    – Up-to-date anti-malware
    – Host firewall enabled
    – Regular OS and software patching
  • Device configuration
    – Enforced screen lock and inactivity timeout
    – Full-disk encryption on laptops and mobile devices
    – Blocking or controlling USB storage, where appropriate
  • Home network expectations
    – Change default router passwords
    – Use WPA2/WPA3 encryption on Wi-Fi
    – Avoid open or unknown networks for sensitive work
  • Remote wipe and tracking (for corporate devices)
    – Ability to remotely wipe or disable lost or stolen devices
    – Ability to locate devices (within legal and privacy constraints)

For ISO 27001 Control 6.7, it’s particularly useful if you can point to:

  • A device standard or build document
  • Remote working config profiles in MDM / endpoint management tools

Step 5 – Define What Is (and Isn’t) Allowed When Working Remotely

Remote working needs clear acceptable use rules. Control 6.7 expects you to be explicit about:

  • What activities are permitted remotely
    – General business work
    – Access to production systems or admin consoles
    – Handling of personal data or confidential information
  • Which systems/services can be used
    – Approved corporate tools vs personal or consumer apps
    – Rules on using local storage, USB media, or personal cloud services
  • Who can touch the equipment
    – Clear statement that family members, visitors, friends, etc. must not use corporate devices
    – Prohibition on sharing corporate accounts or passwords
  • Printing and disposal
    – When printing is allowed from home
    – How to store and securely dispose of printed material (e.g. shredding, returning to office for disposal)

These expectations can sit in a dedicated remote working policy that links back to your:

  • Information security policy
  • Acceptable use policy
  • Access control and classification policies

The more concrete the rules, the easier it is to show you’ve implemented ISO 27001 Control 6.7.

Step 6 – Train and Support Remote Workers Properly

Remote working changes the risks people face day-to-day. ISO 27001 Control 6.7 wants you to make sure staff and support teams:

  • Know how to work securely from home or other locations
  • Understand what to do if something goes wrong

You should:

  • Include remote working scenarios in security awareness training:
    • Phishing and social engineering when working from home
    • Handling shoulder surfing or overheard conversations
    • Using VPNs, MFA, and approved tools correctly
  • Train IT and support teams on:
    • Securely onboarding remote workers
    • Supporting devices they can’t physically touch
    • Managing remote wipe, lost devices, and suspected compromise
  • Provide clear guidance documents:
    • “How to work securely from home” quick guide
    • FAQs on remote access, printing, and using personal devices

If auditors ask remote staff, “What does your remote working policy say and where can you find it?”, you want them to have a confident answer.

Step 7 – Control the Full Remote Working Lifecycle

ISO 27001 Control 6.7 also expects you to manage remote working over time, not just at setup.

That means:

  • Provisioning
    – Issuing appropriately configured devices
    – Applying the right access rights and software
  • Ongoing monitoring and review
    – Logging and monitoring remote access
    – Reviewing access rights regularly (especially admin access)
    – Checking that remote devices remain compliant with your standards
  • Backup and continuity
    – Making sure remote workers’ data is backed up appropriately (e.g. cloud storage, centralised systems)
    – Including remote working in your business continuity planning (e.g. office outage, network issues)
  • Termination or change of remote working
    – Revoking remote access when someone leaves or no longer works remotely
    – Retrieving devices and other assets
    – Ensuring local copies of data are removed or encrypted

This ties in closely with other controls (access control, asset management, incident management), but from the auditor’s perspective it will all sit partly under ISO 27001 Control 6.7 – Remote working.

Quick Implementation Checklist for ISO 27001 Control 6.7

Use this checklist to review your current remote working arrangements:

  • A remote working policy exists and explicitly references ISO 27001 Control 6.7.
  • The policy defines:
    • Who can work remotely
    • From where
    • Which information they can access
    • Which devices and networks are acceptable
  • Physical security for remote working is addressed (workspace setup, storage, clear screen/desk, transport).
  • Remote access is secured with VPN/VDI and multi-factor authentication.
  • Corporate devices are:
    • Encrypted
    • Patched regularly
    • Protected by anti-malware and firewalls
    • Locked down with screen locks and inactivity timers
  • Rules on using personal devices and public Wi-Fi are clearly stated.
  • Acceptable use rules for remote working (printing, file sharing, use of personal tools) are documented.
  • Remote workers receive training specific to remote working risks and expectations.
  • Remote access and remote devices are logged, monitored, and reviewed.
  • There are defined processes for:
    • Onboarding remote workers and issuing equipment
    • Handling lost/stolen devices
    • Revoking access and retrieving assets when remote working ends

Bringing It All Together

ISO 27001 Control 6.7 – Remote working – is really about making remote work intentional and controlled.

If you:

  • Write a clear remote working policy,
  • Apply practical physical, technical, and procedural controls, and
  • Train people to understand how remote working should be done,

you can enjoy the flexibility of remote working without leaving your information exposed.

When an auditor asks, “How do you control security for remote working?”, you’ll be able to walk them through a coherent set of policies, technical measures, and day-to-day practices that show ISO 27001 Control 6.7 is properly implemented.

Explore the ISO 27001 Controls

Overview
Organisational
Controls (5.1 to 5.37)
People
Controls (6.1 to 6.8)
Physical
Controls (7.1 to 7.14)
Technological
Controls (8.1 to 8.34)
Full Control List

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG