ISO 27001:2022 Annex A 6.7 Checklist Guide

ISO 27001 A.6.7 Remote Working Checklist

A.6.7 Remote Working is a control within the People Controls section of ISO 27001:2022, designed to address the security measures and policies necessary for employees working remotely. This control ensures that remote work is conducted securely, protecting organisational information and systems from potential threats and vulnerabilities associated with remote work environments.

Implementing this control involves establishing robust security measures, managing devices, ensuring secure communication, enforcing access control, raising policy awareness, and maintaining effective monitoring and reporting mechanisms.

Given the increasing prevalence of remote work, these measures are crucial for maintaining the integrity and security of organisational information systems.

---

---

Why Should You Comply With Annex A.6.7? Key Aspects and Common Challenges

1. Security Measures

Implementing technical and procedural safeguards to secure remote working environments.

• Solutions:
• Regular Updates and Patch Management: Establish automated processes to ensure devices are regularly updated and patched.
• Home Network Security Guidelines: Provide clear guidelines for securing home networks, including the use of strong passwords and firewalls.
• VPN and Encryption Policies: Implement mandatory VPN usage policies and end-to-end encryption for all data transmissions.
• Associated ISO 27001 Clauses: 6.1.2, 8.1

2. Device Management

Establishing policies and procedures for the use of company-owned and personal devices.

• Solutions:
• BYOD Policy Development: Develop comprehensive BYOD policies that include security requirements and acceptable use.
• MDM Implementation: Utilise mobile device management solutions to enforce security configurations and monitor compliance.
• Device Tracking and Response: Implement tools for tracking devices and procedures for handling lost or stolen devices.
• Associated ISO 27001 Clauses: 7.5.1, 8.1, 8.2, 8.3

3. Communication Tools

Ensuring secure communication channels are used for remote work.

• Solutions:
• Standardised Communication Platforms: Select and mandate the use of secure, standardised communication tools.
• Employee Training Programmes: Regularly train employees on the use of secure communication tools and the risks of unapproved platforms.
• Security Monitoring: Implement monitoring tools to track and secure communications.
• Associated ISO 27001 Clauses: 7.3, 8.2, 8.3, 9.1

4. Access Control

Implementing strict access control measures to ensure that only authorised personnel can access sensitive information and systems remotely.

• Solutions:
• MFA Implementation: Enforce multi-factor authentication for all remote access to sensitive systems.
• Regular Access Reviews: Schedule regular reviews of access permissions to ensure they are up-to-date and appropriate.
• Access Control Policies: Develop and implement robust access control policies that balance security and usability.
• Associated ISO 27001 Clauses: 7.2, 8.3, 9.2

5. Policy Awareness

Educating employees about remote working policies and procedures.

• Solutions:
• Comprehensive Training Programmes: Develop training programmes that cover all aspects of remote working security.
• Interactive Training Sessions: Use interactive and engaging methods to ensure employee understanding and adherence.
• Regular Updates and Communication: Continuously update training materials and policies, and communicate changes effectively.
• Associated ISO 27001 Clauses: 7.2, 7.3

6. Monitoring and Reporting

Establishing mechanisms to monitor remote work activities and detect potential security incidents.

• Solutions:
• Privacy-Respecting Monitoring Tools: Implement monitoring tools that balance privacy with security needs.
• Incident Response Plans: Develop and test incident response plans tailored to remote work scenarios.
• Data Analysis Tools: Utilise advanced data analysis tools to sift through monitoring data and identify potential threats.
• Associated ISO 27001 Clauses: 9.1, 9.2, 10.1

---

---

ISMS.online Features for Demonstrating Compliance with A.6.7

1. Policy Management

• Policy Templates: Provides pre-built templates for creating and communicating remote working policies.
• Challenge Addressed: Standardises policy creation, ensuring comprehensive coverage and ease of communication.
• Policy Pack: Enables the bundling of related policies, ensuring comprehensive coverage of remote working requirements.
• Challenge Addressed: Ensures that all relevant policies are grouped and communicated effectively.
• Version Control: Tracks changes and updates to policies, ensuring employees have access to the most current guidelines.
• Challenge Addressed: Maintains up-to-date policies, addressing the dynamic nature of remote working requirements.

2. Incident Management

• Incident Tracker: Logs and manages remote work-related security incidents, ensuring proper documentation and response.
• Challenge Addressed: Provides a structured way to manage and respond to incidents, ensuring no incident goes untracked.
• Workflow: Facilitates the handling of incidents through predefined processes, ensuring consistent and effective responses.
• Challenge Addressed: Ensures that incident response processes are followed systematically.
• Notifications: Alerts relevant personnel of incidents, ensuring timely awareness and action.
• Challenge Addressed: Enhances timely communication and response to security incidents.

3. Risk Management

• Risk Bank: Identifies and catalogues risks associated with remote working, providing a repository for risk assessments.
• Challenge Addressed: Centralises risk information, making it easier to manage and mitigate risks.
• Dynamic Risk Map: Visualises risks in real-time, helping to prioritise and address remote working threats.
• Challenge Addressed: Provides a clear visual representation of risks, aiding in risk prioritisation and management.
• Risk Monitoring: Continuously monitors identified risks, ensuring proactive management and mitigation.
• Challenge Addressed: Enables ongoing risk assessment and timely interventions.

4. Training

• Training Modules: Provides specific training on remote working security practices, ensuring employees understand and follow policies.
• Challenge Addressed: Ensures consistent and comprehensive training across the organisation.
• Training Tracking: Monitors employee participation and completion of training modules, ensuring compliance with training requirements.
• Challenge Addressed: Tracks training engagement and completion, ensuring compliance.
• Assessment: Tests employee knowledge on remote working security, ensuring comprehension and adherence to policies.
• Challenge Addressed: Validates understanding and adherence to security practices.

5. Communication

• Alert System: Sends out important notifications related to remote working policies and security updates.
• Challenge Addressed: Ensures timely and effective communication of critical information.
• Notification System: Ensures timely dissemination of critical information and policy changes to all employees.
• Challenge Addressed: Enhances communication effectiveness and policy adherence.
• Collaboration Tools: Facilitates secure communication and collaboration among remote workers.
• Challenge Addressed: Provides secure and standardised tools for remote collaboration.

6. Documentation

• Doc Templates: Provides templates for documenting remote working policies, procedures, and incident reports.
• Challenge Addressed: Standardises documentation, ensuring completeness and consistency.
• Version Control: Ensures that all documentation is current and reflects the latest policies and procedures.
• Challenge Addressed: Maintains up-to-date documentation, addressing changes and updates promptly.
• Collaboration: Allows for collaborative creation and review of remote working documents, ensuring thoroughness and accuracy.
• Challenge Addressed: Enhances document quality and completeness through collaboration.

Detailed Annex A.6.7 Compliance Checklist

1. Security Measures

• Ensure all remote devices are configured with the latest security patches.
• Implement and enforce the use of VPNs and encryption.
• Establish procedures for securing home network environments.
• Conduct regular security assessments of remote working environments.

2. Device Management

• Create and enforce BYOD policies that balance security with convenience.
• Ensure compliance with device security configurations and software requirements.
• Implement mobile device management (MDM) solutions.
• Manage the lifecycle and security of remote devices.
• Establish protocols for reporting lost or stolen devices.

3. Communication Tools

• Standardise and secure communication tools across teams.
• Provide training on secure communication methods.
• Monitor and manage the security of communication tools.
• Regularly update and patch communication software.

4. Access Control

• Implement multi-factor authentication (MFA) for remote access.
• Regularly review and update access permissions.
• Ensure access controls balance security with user convenience.
• Conduct periodic access control audits.

5. Policy Awareness

• Provide consistent and comprehensive training on remote working policies.
• Engage employees to understand and adhere to policies.
• Continuously update and communicate training materials.
• Implement acknowledgment tracking to ensure policy understanding.

6. Monitoring and Reporting

• Implement effective monitoring tools that respect privacy.
• Detect and respond to security incidents promptly.
• Analyse monitoring data to identify and mitigate threats.
• Establish clear reporting lines and protocols for remote work incidents.

Additional Considerations

• Conduct regular training sessions on best practices for remote working security.
• Provide resources and support for troubleshooting remote work issues.
• Create a knowledge base with FAQs and guides on remote working policies and security.

• Ensure all remote working technology is regularly updated.
• Evaluate and adopt new technologies that enhance remote working security.
• Maintain an inventory of all remote working devices and their compliance status.

• Regularly review and improve remote working policies and procedures.
• Gather feedback from remote workers to identify areas for improvement.
• Benchmark against industry best practices and standards.

By addressing these aspects, using relevant ISMS.online features, and following the compliance checklist, the A.6.7 Remote Working control ensures that remote work is conducted securely, protecting organisational assets and maintaining compliance with ISO 27001:2022 requirements.

---

---

Every Annex A Control Checklist Table

How ISMS.online Help With A.6.7

Ensure your organisation’s remote working practices are secure, compliant, and efficient.

Take the next step towards robust information security management by leveraging the powerful features of ISMS.online. Our platform provides the tools and support you need to implement and maintain ISO 27001:2022 compliance, particularly for remote working environments.

Don’t wait—secure your organisation’s future today. Contact ISMS.online to learn more about how our comprehensive solutions can benefit your business.

Find out more by booking a demo.