top of page

ISO 27001 Control 6.7: Remote Working

Writer's picture: Alan ParkerAlan Parker

Strengthening Security for Remote Working Environments

The modern workplace increasingly embraces remote working, offering flexibility to employees while posing unique challenges to information security. ISO 27001's Clause 6.7 provides a framework for implementing robust security measures to protect information accessed, processed, or stored outside the organisation’s premises. This article explores the essential components of a secure remote working environment.


Purpose of Remote Working Security Measures

The primary objective of implementing remote working security measures is to:

  • Safeguard organisational information against unauthorised access, misuse, or loss.

  • Ensure the confidentiality, integrity, and availability of information in remote work settings.

  • Protect the organisation’s systems, networks, and assets while facilitating seamless remote operations.


Key Considerations for Remote Working Policies

Organisations allowing remote work should develop a comprehensive, topic-specific policy defining the conditions and restrictions for remote working. The policy should address the following:


1. Physical Security

  • Assess the physical security of remote working locations, considering the local environment and jurisdictions.

  • Implement security mechanisms, such as lockable filing cabinets and secure transportation of assets.

  • Define rules for remote access, clear desk practices, printing, and information disposal.


2. Communications Security

  • Establish secure communication channels for remote access to organisational systems.

  • Assess the sensitivity of information and systems accessed remotely, implementing encryption and other safeguards as needed.

  • Define secure remote access methods, such as virtual desktops, and restrict processing on privately owned devices where applicable.


3. Network and Device Security

  • Set requirements for configuring home and public networks, including restrictions on wireless network settings.

  • Mandate the use of firewalls, antivirus software, and other protective measures.

  • Deploy secure authentication mechanisms, avoiding single-factor authentication wherever possible.

  • Enable device screen locks, inactivity timers, location tracking, and remote wipe capabilities.


4. Authorised Use

  • Clearly define the permitted remote work activities, the classification of accessible information, and authorised internal systems and services.

  • Restrict family or visitor access to organisational equipment and information.


5. Training and Awareness

  • Provide training to remote workers and support teams on secure business practices.

  • Educate personnel on identifying and mitigating risks associated with remote working.


Supporting Measures for Secure Remote Work


To enhance the security of remote working environments, organisations should:

  1. Provision Suitable Equipment: Supply approved hardware, software, and storage solutions. Discourage or prohibit the use of privately owned devices.

  2. Ensure Physical Security: Provide secure furniture and define rules for physical access to equipment and information.

  3. Establish Support Mechanisms: Offer hardware and software support, including insurance for remote working equipment.

  4. Implement Backup and Continuity Procedures: Ensure regular data backups and continuity planning.

  5. Monitor and Audit Security: Conduct regular audits and implement continuous security monitoring.

  6. Terminate Access When Necessary: Revoke access rights and retrieve equipment upon the end of remote working activities.


Additional Recommendations

Secure Deployment and Maintenance

Organisations should implement secure mechanisms for remotely deploying and maintaining systems, ensuring minimal exposure to vulnerabilities.


Incident Reporting

Establish clear guidelines for reporting security incidents, ensuring prompt action to mitigate risks and prevent recurrence.


Final Thoughts

Remote working introduces significant security challenges, but a well-structured policy and comprehensive security measures can effectively mitigate these risks. By addressing physical, communications, network, and device security, organisations can protect their information and maintain operational resilience in a flexible work environment. With proper training, support, and ongoing monitoring, remote working can be both secure and productive for all stakeholders.

Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page