ISO 27001:2022 Annex A Control 6.7

Explaining Annex A Control 6.7 Remote working

Remote working introduces various cybersecurity risks as employees access sensitive information outside the organization’s premises. ISO 27001 Control 6.7 ensures that appropriate security measures are in place to protect data, systems, and networks in remote environments.

Annex A Control 6.7 Remote Working

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Asset Management
  • Information Protection
  • Physical Security
  • System and Network Security

Security Domains

  • Protection

Objective of Control 6.7

The primary objective of ISO 27001 Control 6.7 is to establish security requirements for employees and contractors working remotely, ensuring that information accessed, processed, or stored outside the organization’s premises remains secure.

This control aims to:

  • Prevent unauthorized access to sensitive data.
  • Ensure data integrity by protecting information from unauthorized modifications.
  • Maintain data availability by ensuring remote workers can securely access resources without disruptions.
  • Reduce security risks associated with home networks, public Wi-Fi, and personal devices.

Purpose of Control 6.7

The purpose of this control is to define security measures for remote working environments to reduce risks related to:

  • Data breaches caused by insecure networks or unauthorized access.
  • Device theft or loss, leading to data exposure.
  • Malware infections from unprotected personal devices.
  • Social engineering attacks, such as phishing and credential theft.
  • Lack of control over physical security, leading to unauthorized access.

This control applies to all forms of remote work, including:

  • Telecommuting – employees working from home.
  • Teleworking – employees accessing corporate resources remotely.
  • Virtual offices – fully remote work environments.
  • Remote maintenance – external vendors or IT support accessing systems from offsite locations.

Security Measures for Remote Working

1. Physical Security of Remote Work Locations

Even in remote environments, physical security remains essential. Employees working from home or other remote locations must secure their workspaces to prevent unauthorized access.

Your organization should enforce the following measures:

  • Secure workspaces using lockable cabinets for confidential documents.
  • Establish a clear desk and clear screen policy to prevent unauthorized viewing of sensitive information.
  • Restrict access to workspaces, ensuring that family members or visitors cannot access work devices or sensitive data.
  • Securely transport and dispose of physical documents used during remote work.

2. Access Control Measures

To prevent unauthorized access to your organization’s systems and data, strict access control mechanisms must be in place:

  • Role-based access control (RBAC) – restrict access to only authorized personnel.
  • Multi-factor authentication (MFA) – require users to verify their identity using multiple authentication factors.
  • Zero-trust access model – continuously verify trust levels before granting access.
  • Logging and monitoring of access activities – detect unauthorized login attempts or anomalies.

3. Network Security and Secure Communication

Remote workers often rely on home networks and public Wi-Fi, which pose security risks. To ensure secure communication:

  • Use VPNs (Virtual Private Networks) to encrypt connections between remote devices and corporate networks.
  • Enforce strong encryption protocols, such as TLS 1.3 and AES-256, for all remote communications.
  • Block access from untrusted networks and prohibit employees from using public Wi-Fi without VPN protection.
  • Require firewall and intrusion detection systems (IDS) to monitor remote connections.

4. Endpoint Security and Device Protection

Remote workers use various devices to access corporate resources, making endpoint security a critical concern.

  • Allow only organization-approved devices with pre-installed security configurations.
  • Use mobile device management (MDM) solutions to enforce security policies on remote devices.
  • Enable automatic security updates for operating systems and applications.
  • Install endpoint detection and response (EDR) solutions to monitor for malicious activities.
  • Implement remote wipe capabilities to erase sensitive data if a device is lost or stolen.

5. Data Security and Encryption

To maintain data confidentiality and integrity, robust encryption and data protection mechanisms must be applied:

  • Use full-disk encryption (FDE) for all remote work devices.
  • Encrypt sensitive data stored on USBs or external drives.
  • Secure cloud storage and collaboration tools with access control policies.
  • Prevent data leakage by implementing Data Loss Prevention (DLP) solutions.

6. Remote Work Training and Awareness

Many cybersecurity risks arise due to a lack of awareness among employees. Organizations should conduct regular security training covering:

  • Phishing and social engineering risks.
  • How to recognize and report security incidents.
  • Secure password management best practices.
  • Using multi-factor authentication (MFA) properly.
  • Handling sensitive data in remote environments.

7. Incident Response and Continuous Monitoring

Even with robust security measures, incidents can still occur. Your organization must be prepared to:

  • Implement a remote work incident response plan.
  • Monitor remote access logs for suspicious activities.
  • Enable real-time security alerts for unauthorized access attempts.
  • Conduct regular security audits to assess compliance with remote work policies.

ISO 27001 Controls Related to Remote Work

ISO 27001 Control 6.7 is closely related to several other controls that strengthen remote work security:

  • Control 5.18 – Access Rights: Manages authentication and authorization for remote employees.
  • Control 5.23 – Information Security for Cloud Services: Ensures secure use of cloud platforms in remote work environments.
  • Control 6.8 – Information security event reporting: Prevents unauthorized exposure of sensitive data.
  • Control 8.7 – Protection Against Malware: Establishes defenses against malware and cyber threats in remote environments.
  • Control 8.28 – Secure Coding: Ensures that remote employees use secure applications and systems.

Supporting Templates for Remote Work Security

Templates can facilitate compliance with Control 6.7 and strengthen your organization’s cybersecurity posture.

  • Remote Work Security Policy Template – Defines the rules and guidelines for remote work security.
  • Access Control Policy Template – Helps manage user authentication and authorization.
  • Incident Management Policy Template – Outlines steps to handle security incidents in remote environments.
  • Cybersecurity Awareness Training Guide – Educates employees on security best practices.

Conclusion

 ISO 27001 Control 6.7 provides a structured framework to secure remote work environments, ensuring that information remains protected regardless of where it is accessed. Implementing strong security policies, deploying advanced technical controls, and conducting regular employee training, your organization can minimize risks and comply with ISO 27001.

Control 6.6
ISO 27001 overview
Control 6.8