ISO 27701, Clause 6.3.2 – Mobile Devices and Teleworking

ISO 27701 Controls and Clauses Explained

Book a demo

startup,business,,software,developer,working,on,computer,at,modern,office

Mobile devices and remote working are fast becoming part and parcel of the modern workplace.

Organisation’s need to ensure that all manner of devices are covered under a blanket end user device policy that takes into consideration the nature of the device, how it will be used in conjunction with PII, how it’s managed by the organisation and what the end user’s obligations are whilst using the device.

ISO asks organisations to categorise endpoint devices in two ways:

  1. Devices that are to be used within the confines of the organisation’s network and physical premises.
  2. Devices that are used both inside and outside of the organisation’s LAN and physical premises.

What’s Covered in ISO 27701 Clause 6.3.2

Clause 6.3.2 covers two key aspects of what was previously known as ‘teleworking’, but is now more commonly known as ‘remote working’ – device management and generalised remote working principles.

Clause 6.3.2 breaks these down into two subclauses, containing guidance from two linked subclauses that deal with organisational data security in ISO 27002:

  1. ISO 27701 6.3.2.1 – Mobile devices and teleworking (References ISO 27002 Control 8.1)
  2. ISO 27701 6.3.2.2 – Teleworking (References ISO 27002 Control 6.7)

Sub-clause 6.3.2.1 contains further guidance on the applicable areas of GDPR legislation.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Neither sub-clause contain any additional guidance towards establishing or maintaining a PIMS, within the context of remote working or user device management.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.3.2.1 – Mobile Device Policies

References ISO 27002 Control 8.1

Organisations should implement topic-specific policies that deal with different categories of endpoint devices and mobile device software versions, and how security controls should be tailored towards improve data security.

An organisation’s mobile device policy, procedures and supporting security measures should take into account:

  1. The different categories of of data that the device can both process and store.
  2. How devices are registered and identified on the network.
  3. How devices are going to be physically protected.
  4. Any limitations on applications and software installations.
  5. Remote management, including updates and patches.
  6. User access controls, including RBAC if required.
  7. Encryption.
  8. Antimalware countermeasures (managed or unmanaged).
  9. BUDR.
  10. Browsing restrictions.
  11. User analytics (see ISO 27002 Control 8.16).
  12. The installation, use and remote management of removable storage devices or removable peripheral devices.
  13. How to segregate data on the device, so that PII is partitioned off from standard device data (including the user’s personal data). This includes considering whether or not it is appropriate to store any kind of organisational data on the physical device, rather than using the device to provide online access to it.
  14. What happens when a device is lost or stolen – i.e. addressing any legal, regulatory or contractual requirements, and dealing with the organisation’s insurers.

Individual User Responsibility

Everyone in the organisation who uses remote access needs to be made explicitly aware of any mobile device policy and procedures that apply to them within the context of secure endpoint device management.

Users should be instructed to:

  1. Close any active working sessions when they’re no longer in use.
  2. Implement physical and digital protection controls, as is required by the policy.
  3. Be mindful of their physical surroundings – and the inherent security risks they contain – when accessing secure data using the device.

Bring Your Own Device (BYOD)

Organisations who allow personnel to use personally owned devices should also consider the following security controls:

  • installing software on the device (including mobile phones) that assists in the separation of business and personal data.
  • Enforcing a BYOD policy that includes:
    • Acknowledgement of organisational ownership of PII.
    • Physical and digital protection measures (see above).
    • Remote deletion of data.
    • Any measures that ensure alignment with PII legislation and regulatory guidance.
  • IP rights, concerning company ownership of anything that has been produced on a personal device.
  • Organisational access to the device – either for privacy protection purposes, or to comply with an internal or external investigation.
  • EULAs and software licensing that may be affected by the use of commercial software on a privately owned device.

Wireless Configurations

When drafting procedures that deal with wireless connectivity on endpoint devices, organisations should:

  • Carefully consider how such devices should be allows to connect to wireless networks for Internet access, for the purposes of safeguarding PII.
  • Ensure that wireless connections have sufficient capacity to facilitate backups or any other topic-specific functions.

Relevant ISO 27002 Controls

  • ISO 27002 control 8.9 – Configuration Management
  • ISO 27002 control 8.16 – Monitoring activities

Applicable GDPR Articles

  • Article 5 – (1)(f)

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

ISO 27701 Clause 6.3.2.2 – Teleworking

References ISO 27002 Control 6.7

As with user device management, remote working policies should be topic-specific, and related to the different roles carried out within the organisation.

When formulating remote working policies, organisations should consider:

  • Any potential risks affect the physical security and information security of devices at specific remote working locations, including access by unauthorised personnel.
  • Controls that protect business data, including transportation security, clear desk policies, secure printing, antimalware platforms, firewalls etc.
  • A categorical list of accepted remote working locations, including public areas such as hotels, public meeting rooms and teleworking sites.
  • How the device is going to communicate with the organisation’s network (VPN parameters etc.), as related to the category of data being transferred and the nature of the organisations PII operation.
  • Virtual desktop environments.
  • Wireless security protocols and the underlying security risks prevalent in home or public networks.
  • Remote management of devices (remote disabling, installations, data deletion etc).
  • Authentication methods, more specifically, the use of MFA.

To improve privacy protection and safeguard PII, general and topic-specific remote working policies should include:

  1. The supply of adequate equipment (ICT equipment and physical storage measures), where such equipment doesn’t exist in the remote working environment.
  2. Clear guidelines on the kind of work that is allowed to be carried out, and what systems, data and applications that are able to be accessed remotely.
  3. Training programs that govern remote working, both in terms of the devices used and what’s expected of remote workers from a practical and contractual perspective.
  4. Measures that offer granular remote management of endpoint devices, including screen lock functionality, GPS tracking and remote auditing.
  5. Physical security measures that governs the use of organisation and user-owned kit offsite, including third party access.
  6. Insurance cover.
  7. A remote working-specific BUDR plan, including business continuity controls.
  8. Procedures that outline how remote user access is restricted or revoked as is necessary.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.3.2.1Mobile Device Policy8.1 – User Endpoint Devices for ISO 27002Article (5)
6.3.2.2Teleworking6.7 – Remote Working for ISO 27002None

How ISMS.online Helps

At ISMS.online we can incorporate supply chain information security management into your ISMS.

Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships.

Use ISMS.online Clusters to get the whole supply chain together in one location for clarity, insight, and control.

Find out more and get a hands on demonstration by booking a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

Explore ISMS.online's platform with a self-guided tour - Start Now