What does "ISO 27001 A.6.7: remote working" require of your organization?
A.6.7 requires organizations to take measures for secure access to information outside the office. That includes working from home, flexi work, telecommuting or working from a coffee shop (remote). Consider:
🛡️ Technology that helps
- Use a VPN or virtual desktop environment
- Mandatory 2FA (two-factor authentication).
- Do not store files locally on private devices
- Secure devices with firewall, anti-malware and endpoint protection (EDR)
📱 Device Manager
- Deploy Mobile Device Management (MDM) for centralized control
- Enable automatic screen lock and inactivity timers
- Encrypt laptops with BitLocker or FileVault
- Make sure you can remotely wipe or block devices in case of theft
🏠 Physical home workplace
- Don't leave documents lying around
- Use lockable cabinets
- Limit access for roommates or visitors
📘 Organizational policies
- Establish a clear 'remote work policy'
- Regulate who has access to what
- Provide an incident procedure
- Train employees in safe remote working
🧠 Awareness
Even with the best tools, things go wrong when employees don't know what they had better not do. For example:
- Sharing a file through a personal Google Drive account
- Working on the family laptop "because the business one is slow"
- Forgetting to lock screen with roommates nearby
Awareness is not a one-time training, but something you must keep alive:
- Short microlearnings (Guardey) or e-learning modules
- Campaigns around current threats (such as phishing)
- Concrete rules of conduct: "No work over public wifi without a VPN"
Make it safe and workable
No one is waiting for unnecessary rules or difficult hassles. Fortunately, secure remote working doesn't have to be complicated. A well-designed system makes it easy and safe for employees to do their jobs. Consider:
✔️ Automatic screen lock
For example, if an employee goes to get a coffee, the screen is automatically locked after 5 minutes. This prevents someone else from secretly watching.
✔️ Central logging and monitoring
For example, if someone logs in from abroad at 03:00 a.m., IT automatically receives a notification. This way, suspicious actions can be investigated quickly.
✔️ Be able to remotely wipe devices if lost
For example, if an employee loses his laptop on the train, IT can remotely wipe the device. This keeps company data protected.
✔️ Regular awareness trainings
For example, employees receive short training and a phishing test every quarter. This keeps them alert to digital threats.
✔️ Working with pre-approved tools and storage locations
For example, files may only be stored in OneDrive or SharePoint. Tools such as Dropbox or USB sticks are blocked.
What can you do now?
✅ Creating a 'Remote Work Security Policy'
✅ Let your fellow workers know what they can and cannot do
✅ Use technical tools to restrict and monitor access
Want advice on this or take a look at your policies? Schedule a no-obligation consultation, we'd love to think with you!
