ISO 27001:2022 Annex A Control 6.7

Remote Working

Book a demo

woman,working,at,home,office.close,up,hand,on,laptop,keyboard.

What is ISO 27001:2022 Annex A 6.7?

ISO 27001:2022 Annex A 6.7, Remote Working provides guidance on how organisations should have a policy in place to ensure secure access to information systems and networks when working remotely. It further recommends the implementation of an information security management system that includes procedures for protecting remote access.

Information Security Implications of Remote Working

Remote working has become a more widespread trend, as technology has advanced to enable employees to work remotely without affecting productivity and efficiency. Nonetheless, this comes with the potential for data security concerns.

Being a business owner, it is necessary to protect intellectual property from cyber criminals and ensure the safety of data against hackers. Taking action, one can guard against cyber-crime and guarantee the security of information.

Remote working can present a range of security risks that need to be addressed, such as:

Access Control

Remote working can be beneficial, providing greater access to confidential data and systems. Nevertheless, it does come with several security considerations.

Remote working, if not overseen correctly, can be vulnerable to security issues such as hacking, malware, unauthorised access and more. This is particularly the case if employees are not present in a secure setting.

Loss of Physical Security

Remote working can also have an effect on a business’s physical security. As staff are no longer present in the office or a building, they may not be able to detect any suspicious activities.

Confidentiality

Remote working can pose a risk to confidentiality. For instance, employees may access confidential information without permission from the company.

Employees can readily gain access to confidential corporate data from the public web. Moreover, there are even sites where staff can upload confidential data for public viewing.

Privacy

Remote working can have an effect on the privacy of an organisation. For instance, if personnel are working from home, they could be more prone to not putting away their personal belongings.

This property might hold confidential data that could jeopardise a firm’s privacy.

Data Protection

Remote working can present a danger to a business’s data. Employees can, for instance, gain access to company information remotely, and this data can be stored in multiple locations.

In the case of employees leaving the workplace and taking their device with them, retrieval of data stored on computers, servers and mobile devices may prove more challenging.

The worker may err or act in bad faith with the device, risking the security of the data.

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

What Is the Purpose of ISO 27001:2022 Annex A 6.7?

The aim of ISO 27001:2022 Annex A 6.7 is to guarantee remote personnel have the necessary access controls in place to safeguard the confidentiality, integrity and availability of confidential or proprietary information, procedures and systems from unauthorised access or disclosure by unauthorised persons.

Organisations must ensure the security of information when personnel are operating remotely. Thus, they should issue a tailored policy regarding remote working that lays out the applicable conditions and limits for data security. This policy should be disseminated to all personnel, including instruction on how to utilise remote access technologies securely and safely.

This policy is likely to address:

  • The conditions under which remote working is allowed.
  • Processes for ensuring remote workers have access to confidential information.
  • Ensuring information is safeguarded when transmitted between different physical locations entails adhering to certain procedures.

It is essential to establish a clear system for reporting incidents, including the right contact info. This can help to prevent security breaches or other incidents.

The policy should also cover encryption, firewalls, antivirus software updates and employee instruction on how to securely utilise remote connections.

What Is Involved and How to Meet the Requirements

In order to comply with Annex A 6.7, organisations offering remote work should issue a policy regarding remote working which specifies the related regulations and limits.

The policy should be assessed periodically, especially when technology or legislation alters.

All personnel, contractors and entities involved in remote working activities should be apprised of the policy.

The policy should be documented, made accessible to stakeholders, such as regulators and auditors, and kept up to date.

Organisations must make sure they have the necessary safeguards to secure sensitive or confidential info transmitted or stored electronically during remote operations.

In accordance with Annex A 6.7, the following should be taken into account:

  • Consider the physical security of the remote working site, both existing and proposed, encompassing the safety of the locale, the surrounding area, and the legal systems of the regions in which staff are based.
  • Secure physical environment rules, such as lockable filing cabinets, secure transport between sites, remote access regulations, clear desk, printing and disposing of data and related assets, as well as reporting on security events, must be implemented.
  • The anticipated physical environments for remote working.
  • Secure communications must be ensured, taking into account remote access needs of the organisation, the sensitivity of the data transferred, and the vulnerability of the systems and applications.
  • Remote access, such as virtual desktop access, enables processing and storage of information on personal devices.
  • The danger of unauthorised access to data or assets from individuals outside the remote workspace – such as relatives and friends – is real.
  • The risk of unauthorised access to data or assets by people in public areas is a concern.
  • The employment of both home and public networks, as well as rules or prohibitions related to the setup of wireless network services, is necessary.
  • Employing security measures, like firewalls and anti-malware protection, is essential.
  • Ensure systems can be deployed and initiated remotely with secure protocols.
  • Secure authentication mechanisms must be enabled to grant access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is authorised.

Guidelines and measures to be taken into account should include:

  • The organisation must supply suitable equipment and storage furniture for remote working activities, forbidding the use of privately-owned equipment not under its control.
  • This job involves the following: defining the work permitted, classifying the info that can be held, and authorising remote workers to access internal systems and services.
  • Training should be provided for those working remotely and those offering support. This should cover how to securely conduct business outside the office.
  • Ensuring that suitable communication equipment is provided, such as requiring device screen locks and inactivity timers for remote access, is essential.
  • Enabling device location tracking is possible.
  • The installation of remote wipe capabilities is a must.
  • Physical security.
  • Guidelines and rules regarding family and visitor access to equipment and data must be followed.
  • The business provides hardware and software support and maintenance.
  • The provision of insurance.
  • The protocol for data backup and continuity of operations.
  • Audit and security monitoring.
  • Upon termination of remote working activities, authority and access rights must be revoked and all equipment be returned.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.7 is an adaptation of Annex A 6.2.2 from ISO 27001:2013 and not a new element.

ISO 27001:2022 Annex A 6.7 and 6.2.2 share many similarities, though the nomenclature and wording differ. In ISO 27001:2013, 6.2.2 is referred to as teleworking, while 6.7 is known as remote working. This change is reflected in the new version of the standard, which replaces teleworking with remote working.

In Annex A 6.7 of ISO 27001:2022, the standard outlines what qualifies as remote working, including teleworking – the initial control name in the ISO 27001:2013 version.

Version 2022 of the implementation guidelines are largely similar, although the language and terms differ. To guarantee users of the standard comprehend, user-friendly language is employed.

Some additions were made in Annex A 6.7, and some deletions occurred in 6.2.2.

Added to ISO 27001:2022 Annex A 6.7 Remote Working

  • Ensure physical security with lockable filing cabinets, provide secure transportation and access instructions, mandate clear desk policies, outline print/disposal protocols for info/assets, and implement an incident response system.
  • It is anticipated that people will be working remotely. Physical circumstances are expected.
  • The risk of unauthorised access to information or resources from strangers in public areas.
  • Secure methods for remote deployment and setup of systems.
  • Secure mechanisms are in place to authenticate and allow access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is enabled.

Removed From ISO 27001:2013 Annex A 6.2.2 Teleworking

  • The implementation of home networks and the regulations or limitations on configuring wireless network services are necessary.
  • Policies and procedures to mitigate disputes regarding rights to intellectual property developed on privately owned equipment should be instituted.
  • Gaining access to privately owned machinery (to ensure its safety or for investigative purposes) may be prohibited by law.
  • Organisations may be responsible for software licensing on workstations that are privately owned by either their staff or external users.

ISO 27001:2022 gives statements of purpose and attribute tables for each control, aiding users to comprehend and put into practice the controls more effectively.

The ISO 27001:2013 version lacks these two components.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

The primary duty of devising an information security policy for remote employees lies with the organisation’s information security officer. Nevertheless, other stakeholders should also be involved in the process.

IT and HR managers are jointly responsible for ensuring that the policy is implemented and maintained, and that employees comprehend and abide by it.

If you have a vendor management program, then it is likely the individual responsible for managing contractors and vendors will be responsible for forming a security policy for external workers in that department.

What Do These Changes Mean for You?

ISO 27001:2022 remains largely unchanged; thus, you simply need to ensure that your information security processes comply with the new release.

Altering some controls and clarifying certain requirements was the main change. Annex A 6.7 had the most significant effect – if you outsource operations or employ people remotely, you must make sure that they have suitable security measures.

If your organisation already holds an ISO 27001 certification, the process you employ to manage information security will satisfy the new regulations.

If you’re seeking to renew your ISO 27001 certification, you don’t need to take any action. Only ensure that your procedures still accord with the new standard.

If you are starting from the beginning, it is necessary to consider how to safeguard your company’s data and information against cyber attacks and other risks.

It is essential to take cyber risks seriously and manage them as part of the overall business plan, rather than only regarding them as a problem for IT or security departments.

How ISMS.online Help

The ISMS.online platform assists with every facet of ISO 27001:2022 implementation, from carrying out risk assessment activities to designing policies, procedures, and directives to satisfy the standard’s specifications.

ISMS.online provides a platform for documenting and sharing findings with colleagues. Furthermore, it enables you to generate and store checklists of all needed tasks for ISO 27001 implementation, allowing you to monitor your organisation’s security measures conveniently.

We provides organisations with a set of automated tools to make demonstrating compliance with ISO 27001 straightforward.

Contact us now to book a demonstration.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Streamline your workflow with our new Jira integration! Learn more here.