Control 6.7, Remote Working is a control in the revised ISO 27002:2022. It recommends that organisations should have a policy on remote working as well as an information security management system that includes procedures for securing remote access to information systems and networks.
Remote working has become more common as technology has developed and it is now possible for employees to work from home without damaging productivity or efficiency. However, it can also raise some concerns about data security.
If you’re a business owner, you’ll want to know how to protect your intellectual property against cyber criminals and ensure that your data is safe from hackers.
Here are some information security implications of remote working:
Remote working can be advantageous as it allows for easier access to sensitive information and systems. However, remote working has several security implications.
Remote working, if not properly managed, can be susceptible to security risks such as hacking, malware attacks, unauthorised access, and others. This is especially true when employees are not physically in a secure environment.
Remote working can also impact the physical security of a business. This is because it can mean that employees are no longer physically located in an office or building and, thus, may not be as likely to see or hear suspicious activity.
Remote working can also pose some risks with regard to confidentiality. For example, employees can access confidential information remotely and access it without the consent of the company.
Also, employees can easily access sensitive company information on the public internet. In fact, there are even websites where employees can upload sensitive information for everyone to see.
Remote working can also impact the privacy of an organisation. For example, if employees are working from home, they may be more likely to leave their personal belongings lying around.
These belongings may contain sensitive information that could compromise the privacy of a company.
Remote working can also pose a risk to the data of a business. For example, employees can access company data remotely, which can be stored in a variety of locations.
This can include data on computers, servers, and mobile devices. If the employee leaves the office and takes the device, it can be more difficult to recover the data.
Also, the employee can make a mistake or do something malicious with the device, which can compromise the data.
Attributes are used to categorise controls. You can immediately match your control option with widely used industry phrases and specs by using attributes.
Attributes for control 6.7 are as seen below.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset Management #Information Protection #Physical Security #System and Network Security | #Protection |
The purpose of Control 6.7 is to ensure that personnel working remotely have adequate access controls in place to protect the confidentiality, integrity and availability of sensitive or proprietary information, processes and systems from unauthorised access or disclosure by unauthorised individuals.
To ensure the security of information when personnel are working remotely, organisations should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions for information security. The policy should be distributed to all staff and include guidance on how they can use remote access technologies safely and securely.
A topic-specific policy like this will likely cover:
In addition to these basic requirements, it is also important to have a clearly defined procedure for reporting incidents, including the appropriate contact details. This can help reduce the risk of breaches or other types of security incidents from occurring in the first place.
The policy may also need to address issues such as encryption, firewalls and antivirus software updates as well as employee training about how to use remote connectivity safely.
In order to meet the requirements for control 6.7, organisations allowing remote working activities should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions.
The policy should be reviewed regularly, particularly when there is any change in technology or legislation.
The policy should be communicated to all employees, contractors and other parties involved in remote working activities.
The policy should be documented and made available to any relevant third party, including regulators and auditors.
Organisations must also ensure that they have adequate measures in place to protect sensitive or confidential information transmitted or stored electronically during remote working activities.
In line with the provisions of control 6.7, the following matters should be considered:
The guidelines and measures to be considered should include:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Control 6.7 in ISO 27002:2022 is a modified version of control 6.2.2 in ISO 27002:2013 and is not a new control.
While these two controls have many characteristics, they differ somewhat in nomenclature and wordings. The control name, for example, is not the same. Control 6.2.2 in ISO 27002:2013 is referred to as teleworking. Control 6.7 refers to it as remote working. At the same time, teleworking was replaced by remote working in the new version of the standard.
In control 6.7, ISO 27002:2022, the standard defines what remote working is, and the types of work that can qualify as remote working. This includes teleworking, which is the original control name in the 2013 version of the standard.
The implementation guidelines are somewhat similar even though the language and terms are different. Version 2022 used a lot of user-friendly language so as to ensure that the users of the standard can understand what they are doing.
That said, some points were added in control 6.7 and some removed from control 6.2.2.
Furthermore, the ISO 27002 version 2022 provides statements of purpose and attribute tables for each control, which assist users in better understanding and implementing the controls.
The 2013 version does not have these two parts.
The primary responsibility for creating an information security policy for remote workers lies with the organisation’s information security officer. However, other stakeholders should also be involved in the process.
This includes IT managers, who are responsible for implementing and maintaining the policy, as well as HR managers, who are responsible for making sure that employees understand it and adhere to it.
If you have a vendor management program, then the answer will depend on who is responsible for managing contractors and vendors in general. In most cases, this person would also be responsible for creating an information security policy for remote workers in that department.
The ISO 27002 was not significantly changed so you don’t need to do much except check that your information security processes are in line with the upgrade.
The main change was to modify some of the controls and to clarify some of the requirements. The main effect as with regards to control 6.7 is that if you outsource any of your operations to a third party or have people working remotely, you will need to ensure that they have an appropriate level of security controls in place.
If you have an existing ISO 27001 certification, then your current process for managing information security will meet the new requirements.
This means that if you are looking to renew your current ISO 27001 certification then you don’t need to do anything at all. You just have to make sure that your processes still align with the new standard.
If however, you’re starting from scratch, then you’ll need to put some thought into how your company can be prepared for cyber attacks and other threats to its information assets.
The main thing is that it’s important to treat cyber risks seriously enough so that they’re managed as part of your overall business strategy rather than being treated as a separate issue by IT or security departments alone.
The ISMS.Online platform helps with all aspects of implementing ISO 27002, from managing risk assessment activities through to developing policies, procedures and guidelines for complying with the standard’s requirements.
It provides a way to document your findings and communicate them with your team members online. ISMS.Online also allows you to create and save checklists for all of the tasks involved in implementing ISO 27002, so that you can easily track the progress of your organisation’s security program.
With its automated tool set, ISMS.Online makes it easy for organisations to demonstrate compliance with the ISO 27002 standard.
Contact us today to schedule a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
