ISO 27701 – Clause 6.3.2 – Mobile Devices and Teleworking

ISO 27701 Clause 6.3.2 addresses policies for managing mobile devices and remote working, emphasising the need for organisations to implement specific controls to secure endpoint devices and ensure data protection during remote operations.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 25 February 2025
LinkedIn Twitter Twitter

ISO 27701 Compliance: Managing Mobile Devices & Remote Work Risks

Mobile devices and remote working are fast becoming part and parcel of the modern workplace.

Organisation’s need to ensure that all manner of devices are covered under a blanket end user device policy that takes into consideration the nature of the device, how it will be used in conjunction with PII, how it’s managed by the organisation and what the end user’s obligations are whilst using the device.

ISO asks organisations to categorise endpoint devices in two ways:

  1. Devices that are to be used within the confines of the organisation’s network and physical premises.
  2. Devices that are used both inside and outside of the organisation’s LAN and physical premises.

What’s Covered in ISO 27701 Clause 6.3.2

Clause 6.3.2 covers two key aspects of what was previously known as ‘teleworking’, but is now more commonly known as ‘remote working’ – device management and generalised remote working principles.

Clause 6.3.2 breaks these down into two subclauses, containing guidance from two linked subclauses that deal with organisational data security in ISO 27002:

  1. ISO 27701 6.3.2.1 – Mobile devices and teleworking (References ISO 27002 Control 8.1)
  2. ISO 27701 6.3.2.2 – Teleworking (References ISO 27002 Control 6.7)

Sub-clause 6.3.2.1 contains further guidance on the applicable areas of GDPR legislation.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Neither sub-clause contain any additional guidance towards establishing or maintaining a PIMS, within the context of remote working or user device management.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


ISO 27701 Clause 6.3.2.1 – Mobile Device Policies

References ISO 27002 Control 8.1

Organisations should implement topic-specific policies that deal with different categories of endpoint devices and mobile device software versions, and how security controls should be tailored towards improve data security.

An organisation’s mobile device policy, procedures and supporting security measures should take into account:

  1. The different categories of of data that the device can both process and store.
  2. How devices are registered and identified on the network.
  3. How devices are going to be physically protected.
  4. Any limitations on applications and software installations.
  5. Remote management, including updates and patches.
  6. User access controls, including RBAC if required.
  7. Encryption.
  8. Antimalware countermeasures (managed or unmanaged).
  9. BUDR.
  10. Browsing restrictions.
  11. User analytics (see ISO 27002 Control 8.16).
  12. The installation, use and remote management of removable storage devices or removable peripheral devices.
  13. How to segregate data on the device, so that PII is partitioned off from standard device data (including the user’s personal data). This includes considering whether or not it is appropriate to store any kind of organisational data on the physical device, rather than using the device to provide online access to it.
  14. What happens when a device is lost or stolen – i.e. addressing any legal, regulatory or contractual requirements, and dealing with the organisation’s insurers.

Individual User Responsibility

Everyone in the organisation who uses remote access needs to be made explicitly aware of any mobile device policy and procedures that apply to them within the context of secure endpoint device management.

Users should be instructed to:

  1. Close any active working sessions when they’re no longer in use.
  2. Implement physical and digital protection controls, as is required by the policy.
  3. Be mindful of their physical surroundings – and the inherent security risks they contain – when accessing secure data using the device.

Bring Your Own Device (BYOD)

Organisations who allow personnel to use personally owned devices should also consider the following security controls:

  • Installing software on the device (including mobile phones) that assists in the separation of business and personal data.
  • Enforcing a BYOD policy that includes:
    • Acknowledgement of organisational ownership of PII.
    • Physical and digital protection measures (see above).
    • Remote deletion of data.
    • Any measures that ensure alignment with PII legislation and regulatory guidance.
  • IP rights, concerning company ownership of anything that has been produced on a personal device.
  • Organisational access to the device – either for privacy protection purposes, or to comply with an internal or external investigation.
  • EULAs and software licensing that may be affected by the use of commercial software on a privately owned device.

Wireless Configurations

When drafting procedures that deal with wireless connectivity on endpoint devices, organisations should:

  • Carefully consider how such devices should be allows to connect to wireless networks for Internet access, for the purposes of safeguarding PII.
  • Ensure that wireless connections have sufficient capacity to facilitate backups or any other topic-specific functions.

Relevant ISO 27002 Controls

  • ISO 27002 control 8.9 – Configuration Management
  • ISO 27002 control 8.16 – Monitoring activities

Applicable GDPR Articles

  • Article 5 – (1)(f)


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 6.3.2.2 – Teleworking

References ISO 27002 Control 6.7

As with user device management, remote working policies should be topic-specific, and related to the different roles carried out within the organisation.

When formulating remote working policies, organisations should consider:

  • Any potential risks affect the physical security and information security of devices at specific remote working locations, including access by unauthorised personnel.
  • Controls that protect business data, including transportation security, clear desk policies, secure printing, antimalware platforms, firewalls etc.
  • A categorical list of accepted remote working locations, including public areas such as hotels, public meeting rooms and teleworking sites.
  • How the device is going to communicate with the organisation’s network (VPN parameters etc.), as related to the category of data being transferred and the nature of the organisations PII operation.
  • Virtual desktop environments.
  • Wireless security protocols and the underlying security risks prevalent in home or public networks.
  • Remote management of devices (remote disabling, installations, data deletion etc).
  • Authentication methods, more specifically, the use of MFA.

To improve privacy protection and safeguard PII, general and topic-specific remote working policies should include:

  1. The supply of adequate equipment (ICT equipment and physical storage measures), where such equipment doesn’t exist in the remote working environment.
  2. Clear guidelines on the kind of work that is allowed to be carried out, and what systems, data and applications that are able to be accessed remotely.
  3. Training programs that govern remote working, both in terms of the devices used and what’s expected of remote workers from a practical and contractual perspective.
  4. Measures that offer granular remote management of endpoint devices, including screen lock functionality, GPS tracking and remote auditing.
  5. Physical security measures that governs the use of organisation and user-owned kit offsite, including third party access.
  6. Insurance cover.
  7. A remote working-specific BUDR plan, including business continuity controls.
  8. Procedures that outline how remote user access is restricted or revoked as is necessary.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27002 Requirement Associated GDPR Articles
6.3.2.1 Mobile Device Policy
8.1 – User Endpoint Devices for ISO 27002
 		Article (5)
6.3.2.2 Teleworking
6.7 – Remote Working for ISO 27002
 		None

How ISMS.online Helps

At ISMS.online we can incorporate supply chain information security management into your ISMS.

Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships.

Use ISMS.online Clusters to get the whole supply chain together in one location for clarity, insight, and control.

Find out more and get a hands on demonstration by booking a demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!