Mobile devices and remote working are fast becoming part and parcel of the modern workplace.
Organisation’s need to ensure that all manner of devices are covered under a blanket end user device policy that takes into consideration the nature of the device, how it will be used in conjunction with PII, how it’s managed by the organisation and what the end user’s obligations are whilst using the device.
ISO asks organisations to categorise endpoint devices in two ways:
Clause 6.3.2 covers two key aspects of what was previously known as ‘teleworking’, but is now more commonly known as ‘remote working’ – device management and generalised remote working principles.
Clause 6.3.2 breaks these down into two subclauses, containing guidance from two linked subclauses that deal with organisational data security in ISO 27002:
Sub-clause 6.3.2.1 contains further guidance on the applicable areas of GDPR legislation.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Neither sub-clause contain any additional guidance towards establishing or maintaining a PIMS, within the context of remote working or user device management.
Organisations should implement topic-specific policies that deal with different categories of endpoint devices and mobile device software versions, and how security controls should be tailored towards improve data security.
An organisation’s mobile device policy, procedures and supporting security measures should take into account:
Everyone in the organisation who uses remote access needs to be made explicitly aware of any mobile device policy and procedures that apply to them within the context of secure endpoint device management.
Users should be instructed to:
Organisations who allow personnel to use personally owned devices should also consider the following security controls:
When drafting procedures that deal with wireless connectivity on endpoint devices, organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
As with user device management, remote working policies should be topic-specific, and related to the different roles carried out within the organisation.
When formulating remote working policies, organisations should consider:
To improve privacy protection and safeguard PII, general and topic-specific remote working policies should include:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.3.2.1 | Mobile Device Policy | 8.1 – User Endpoint Devices for ISO 27002 | Article (5) |
6.3.2.2 | Teleworking | 6.7 – Remote Working for ISO 27002 | None |
At ISMS.online we can incorporate supply chain information security management into your ISMS.
Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships.
Use ISMS.online Clusters to get the whole supply chain together in one location for clarity, insight, and control.
Find out more and get a hands on demonstration by booking a demo.