ISO 27002:2022, Control 6.7 – Remote Working

ISO 27002:2022 Revised Controls

Book a demo

businessman,in,workplace.,texting,message,smartphone,and,holding,pencil,hands.

What is Control 6.7?

Control 6.7, Remote Working is a control in the revised ISO 27002:2022. It recommends that organisations should have a policy on remote working as well as an information security management system that includes procedures for securing remote access to information systems and networks.

Information Security Implications of Remote Working

Remote working has become more common as technology has developed and it is now possible for employees to work from home without damaging productivity or efficiency. However, it can also raise some concerns about data security.

If you’re a business owner, you’ll want to know how to protect your intellectual property against cyber criminals and ensure that your data is safe from hackers.

Here are some information security implications of remote working:

Access Control

Remote working can be advantageous as it allows for easier access to sensitive information and systems. However, remote working has several security implications.

Remote working, if not properly managed, can be susceptible to security risks such as hacking, malware attacks, unauthorised access, and others. This is especially true when employees are not physically in a secure environment.

Loss of Physical Security

Remote working can also impact the physical security of a business. This is because it can mean that employees are no longer physically located in an office or building and, thus, may not be as likely to see or hear suspicious activity.

Confidentiality

Remote working can also pose some risks with regard to confidentiality. For example, employees can access confidential information remotely and access it without the consent of the company.

Also, employees can easily access sensitive company information on the public internet. In fact, there are even websites where employees can upload sensitive information for everyone to see.

Privacy

Remote working can also impact the privacy of an organisation. For example, if employees are working from home, they may be more likely to leave their personal belongings lying around.

These belongings may contain sensitive information that could compromise the privacy of a company.

Data Protection

Remote working can also pose a risk to the data of a business. For example, employees can access company data remotely, which can be stored in a variety of locations.

This can include data on computers, servers, and mobile devices. If the employee leaves the office and takes the device, it can be more difficult to recover the data.

Also, the employee can make a mistake or do something malicious with the device, which can compromise the data.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

Attributes are used to categorise controls. You can immediately match your control option with widely used industry phrases and specs by using attributes.

Attributes for control 6.7 are as seen below.

Control TypeInformation Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Protect#Asset Management
#Information Protection
#Physical Security
#System and Network Security
#Protection

What Is the Purpose of Control 6.7?

The purpose of Control 6.7 is to ensure that personnel working remotely have adequate access controls in place to protect the confidentiality, integrity and availability of sensitive or proprietary information, processes and systems from unauthorised access or disclosure by unauthorised individuals.

To ensure the security of information when personnel are working remotely, organisations should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions for information security. The policy should be distributed to all staff and include guidance on how they can use remote access technologies safely and securely.

A topic-specific policy like this will likely cover:

  • The circumstances in which remote working is permitted.
  • The processes used to ensure that remote workers are authorised to access confidential information.
  • The procedures for ensuring that information is protected when it is transmitted between different physical locations.

In addition to these basic requirements, it is also important to have a clearly defined procedure for reporting incidents, including the appropriate contact details. This can help reduce the risk of breaches or other types of security incidents from occurring in the first place.

The policy may also need to address issues such as encryption, firewalls and antivirus software updates as well as employee training about how to use remote connectivity safely.

What Is Involved and How to Meet the Requirements

In order to meet the requirements for control 6.7, organisations allowing remote working activities should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions.

The policy should be reviewed regularly, particularly when there is any change in technology or legislation.

The policy should be communicated to all employees, contractors and other parties involved in remote working activities.

The policy should be documented and made available to any relevant third party, including regulators and auditors.

Organisations must also ensure that they have adequate measures in place to protect sensitive or confidential information transmitted or stored electronically during remote working activities.

In line with the provisions of control 6.7, the following matters should be considered:

  • The existing or proposed physical security of the remote working site, taking into account the physical security of the location and the local environment, including the different jurisdictions where personnel are located.
  • Rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting.
  • The expected physical remote working environments.
  • The communications security requirements, taking into account the need for remote access to the organisation’s systems, the sensitivity of the information to be accessed and passed over the communication link and the sensitivity of the systems and applications.
  • The use of remote access such as virtual desktop access that supports processing and storage of information on privately owned equipment.
  • The threat of unauthorised access to information or resources from other persons at the remote working site (e.g. family and friends).
  • The threat of unauthorised access to information or resources from other persons in public places.
  • The use of home networks and public networks, and requirements or restrictions on the configuration of wireless network services.
  • Use of security measures, such as firewalls and protection against malware.
  • Secure mechanisms for deploying and initialising systems remotely.
  • Secure mechanisms for authentication and enablement of access privileges taking into consideration the vulnerability of single-factor authentication mechanisms where remote access to the organisation’s network is allowed.

The guidelines and measures to be considered should include:

  1. The provision of suitable equipment and storage furniture for the remote working activities, where the use of privately-owned equipment that is not under the control of the organisation is not allowed.
  2. A definition of the work permitted, the classification of information that can be held and the internal systems and services that the remote worker is authorised to access.
  3. The provision of training for those working remotely and those providing support. This should include how to conduct business in a secure manner while working remotely.
  4. The provision of suitable communication equipment, including methods for securing remote access, such as requirements on device screen locks and inactivity timers.
  5. The enabling of device location tracking.
  6. Installation of remote wipe capabilities.
  7. Physical security.
  8. Rules and guidance on family and visitor access to equipment and information.
  9. The provision of hardware and software support and maintenance.
  10. The provision of insurance.
  11. The procedures for backup and business continuity.
  12. Audit and security monitoring.
  13. Revocation of authority and access rights and the return of equipment when the remote working activities are terminated.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences from ISO 27002:2013

Control 6.7 in ISO 27002:2022 is a modified version of control 6.2.2 in ISO 27002:2013 and is not a new control.

While these two controls have many characteristics, they differ somewhat in nomenclature and wordings. The control name, for example, is not the same. Control 6.2.2 in ISO 27002:2013 is referred to as teleworking. Control 6.7 refers to it as remote working. At the same time, teleworking was replaced by remote working in the new version of the standard.

In control 6.7, ISO 27002:2022, the standard defines what remote working is, and the types of work that can qualify as remote working. This includes teleworking, which is the original control name in the 2013 version of the standard.

The implementation guidelines are somewhat similar even though the language and terms are different. Version 2022 used a lot of user-friendly language so as to ensure that the users of the standard can understand what they are doing.

That said, some points were added in control 6.7 and some removed from control 6.2.2.

Added to Control 6.7 Remote Working

  • rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting.
  • the expected physical remote working environments.
  • the threat of unauthorised access to information or resources from other persons in public places.
  • secure mechanisms for deploying and initialising systems remotely.
  • secure mechanisms for authentication and enablement of access privileges taking into consideration the vulnerability of single-factor authentication mechanisms where remote access to the organisation’s network is allowed.

Removed From Control 6.2.2 Teleworking

  • The use of home networks and requirements or restrictions on the configuration of wireless network services.
  • Policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment.
  • Access to privately owned equipment (to verify the security of the machine or during an investigation), which may be prevented by legislation.
  • Software licensing agreements that are such that organisations may become liable for licensing for client software on workstations owned privately by employees or external party users.

Furthermore, the ISO 27002 version 2022 provides statements of purpose and attribute tables for each control, which assist users in better understanding and implementing the controls.

The 2013 version does not have these two parts.

Who Is in Charge of This Process?

The primary responsibility for creating an information security policy for remote workers lies with the organisation’s information security officer. However, other stakeholders should also be involved in the process.

This includes IT managers, who are responsible for implementing and maintaining the policy, as well as HR managers, who are responsible for making sure that employees understand it and adhere to it.

If you have a vendor management program, then the answer will depend on who is responsible for managing contractors and vendors in general. In most cases, this person would also be responsible for creating an information security policy for remote workers in that department.

What Do These Changes Mean for You?

The ISO 27002 was not significantly changed so you don’t need to do much except check that your information security processes are in line with the upgrade.

The main change was to modify some of the controls and to clarify some of the requirements. The main effect as with regards to control 6.7 is that if you outsource any of your operations to a third party or have people working remotely, you will need to ensure that they have an appropriate level of security controls in place.

If you have an existing ISO 27001 certification, then your current process for managing information security will meet the new requirements.

This means that if you are looking to renew your current ISO 27001 certification then you don’t need to do anything at all. You just have to make sure that your processes still align with the new standard.

If however, you’re starting from scratch, then you’ll need to put some thought into how your company can be prepared for cyber attacks and other threats to its information assets.

The main thing is that it’s important to treat cyber risks seriously enough so that they’re managed as part of your overall business strategy rather than being treated as a separate issue by IT or security departments alone.

How ISMS.Online Helps

The ISMS.Online platform helps with all aspects of implementing ISO 27002, from managing risk assessment activities through to developing policies, procedures and guidelines for complying with the standard’s requirements.

It provides a way to document your findings and communicate them with your team members online. ISMS.Online also allows you to create and save checklists for all of the tasks involved in implementing ISO 27002, so that you can easily track the progress of your organisation’s security program.

With its automated tool set, ISMS.Online makes it easy for organisations to demonstrate compliance with the ISO 27002 standard.

Contact us today to schedule a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.