ISO 27001:2022 Annex A Control 6.7

What Is the Purpose of ISO 27001:2022 Annex A 6.7?

The aim of ISO 27001:2022 Annex A 6.7 is to guarantee remote personnel have the necessary access controls in place to safeguard the confidentiality, integrity and availability of confidential or proprietary information, procedures and systems from unauthorised access or disclosure by unauthorised persons.

Organisations must ensure the security of information when personnel are operating remotely. Thus, they should issue a tailored policy regarding remote working that lays out the applicable conditions and limits for data security. This policy should be disseminated to all personnel, including instruction on how to utilise remote access technologies securely and safely.

This policy is likely to address:

• The conditions under which remote working is allowed.
• Processes for ensuring remote workers have access to confidential information.
• Ensuring information is safeguarded when transmitted between different physical locations entails adhering to certain procedures.

It is essential to establish a clear system for reporting incidents, including the right contact info. This can help to prevent security breaches or other incidents.

The policy should also cover encryption, firewalls, antivirus software updates and employee instruction on how to securely utilise remote connections.

What Is Involved and How to Meet the Requirements

In order to comply with Annex A 6.7, organisations offering remote work should issue a policy regarding remote working which specifies the related regulations and limits.

The policy should be assessed periodically, especially when technology or legislation alters.

All personnel, contractors and entities involved in remote working activities should be apprised of the policy.

The policy should be documented, made accessible to stakeholders, such as regulators and auditors, and kept up to date.

Organisations must make sure they have the necessary safeguards to secure sensitive or confidential info transmitted or stored electronically during remote operations.

In accordance with Annex A 6.7, the following should be taken into account:

• Consider the physical security of the remote working site, both existing and proposed, encompassing the safety of the locale, the surrounding area, and the legal systems of the regions in which staff are based.
• Secure physical environment rules, such as lockable filing cabinets, secure transport between sites, remote access regulations, clear desk, printing and disposing of data and related assets, as well as reporting on security events, must be implemented.
• The anticipated physical environments for remote working.
• Secure communications must be ensured, taking into account remote access needs of the organisation, the sensitivity of the data transferred, and the vulnerability of the systems and applications.
• Remote access, such as virtual desktop access, enables processing and storage of information on personal devices.
• The danger of unauthorised access to data or assets from individuals outside the remote workspace – such as relatives and friends – is real.
• The risk of unauthorised access to data or assets by people in public areas is a concern.
• The employment of both home and public networks, as well as rules or prohibitions related to the setup of wireless network services, is necessary.
• Employing security measures, like firewalls and anti-malware protection, is essential.
• Ensure systems can be deployed and initiated remotely with secure protocols.
• Secure authentication mechanisms must be enabled to grant access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is authorised.

Guidelines and measures to be taken into account should include:

• The organisation must supply suitable equipment and storage furniture for remote working activities, forbidding the use of privately-owned equipment not under its control.
• This job involves the following: defining the work permitted, classifying the info that can be held, and authorising remote workers to access internal systems and services.
• Training should be provided for those working remotely and those offering support. This should cover how to securely conduct business outside the office.
• Ensuring that suitable communication equipment is provided, such as requiring device screen locks and inactivity timers for remote access, is essential.
• Enabling device location tracking is possible.
• The installation of remote wipe capabilities is a must.
• Physical security.
• Guidelines and rules regarding family and visitor access to equipment and data must be followed.
• The business provides hardware and software support and maintenance.
• The provision of insurance.
• The protocol for data backup and continuity of operations.
• Audit and security monitoring.
• Upon termination of remote working activities, authority and access rights must be revoked and all equipment be returned.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.7 is an adaptation of Annex A 6.2.2 from ISO 27001:2013 and not a new element.

ISO 27001:2022 Annex A 6.7 and 6.2.2 share many similarities, though the nomenclature and wording differ. In ISO 27001:2013, 6.2.2 is referred to as teleworking, while 6.7 is known as remote working. This change is reflected in the new version of the standard, which replaces teleworking with remote working.

In Annex A 6.7 of ISO 27001:2022, the standard outlines what qualifies as remote working, including teleworking – the initial control name in the ISO 27001:2013 version.

Version 2022 of the implementation guidelines are largely similar, although the language and terms differ. To guarantee users of the standard comprehend, user-friendly language is employed.

Some additions were made in Annex A 6.7, and some deletions occurred in 6.2.2.

Added to ISO 27001:2022 Annex A 6.7 Remote Working

• Ensure physical security with lockable filing cabinets, provide secure transportation and access instructions, mandate clear desk policies, outline print/disposal protocols for info/assets, and implement an incident response system.
• It is anticipated that people will be working remotely. Physical circumstances are expected.
• The risk of unauthorised access to information or resources from strangers in public areas.
• Secure methods for remote deployment and setup of systems.
• Secure mechanisms are in place to authenticate and allow access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is enabled.

Removed From ISO 27001:2013 Annex A 6.2.2 Teleworking

• The implementation of home networks and the regulations or limitations on configuring wireless network services are necessary.
• Policies and procedures to mitigate disputes regarding rights to intellectual property developed on privately owned equipment should be instituted.
• Gaining access to privately owned machinery (to ensure its safety or for investigative purposes) may be prohibited by law.
• Organisations may be responsible for software licensing on workstations that are privately owned by either their staff or external users.

ISO 27001:2022 gives statements of purpose and attribute tables for each control, aiding users to comprehend and put into practice the controls more effectively.

The ISO 27001:2013 version lacks these two components.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

Who Is in Charge of This Process?

The primary duty of devising an information security policy for remote employees lies with the organisation’s information security officer. Nevertheless, other stakeholders should also be involved in the process.

IT and HR managers are jointly responsible for ensuring that the policy is implemented and maintained, and that employees comprehend and abide by it.

If you have a vendor management program, then it is likely the individual responsible for managing contractors and vendors will be responsible for forming a security policy for external workers in that department.

What Do These Changes Mean for You?

ISO 27001:2022 remains largely unchanged; thus, you simply need to ensure that your information security processes comply with the new release.

Altering some controls and clarifying certain requirements was the main change. Annex A 6.7 had the most significant effect – if you outsource operations or employ people remotely, you must make sure that they have suitable security measures.

If your organisation already holds an ISO 27001 certification, the process you employ to manage information security will satisfy the new regulations.

If you’re seeking to renew your ISO 27001 certification, you don’t need to take any action. Only ensure that your procedures still accord with the new standard.

If you are starting from the beginning, it is necessary to consider how to safeguard your company’s data and information against cyber attacks and other risks.

It is essential to take cyber risks seriously and manage them as part of the overall business plan, rather than only regarding them as a problem for IT or security departments.

How ISMS.online Help

The ISMS.online platform assists with every facet of ISO 27001:2022 implementation, from carrying out risk assessment activities to designing policies, procedures, and directives to satisfy the standard’s specifications.

ISMS.online provides a platform for documenting and sharing findings with colleagues. Furthermore, it enables you to generate and store checklists of all needed tasks for ISO 27001 implementation, allowing you to monitor your organisation’s security measures conveniently.

We provides organisations with a set of automated tools to make demonstrating compliance with ISO 27001 straightforward.

Contact us now to book a demonstration.