A.6.7 ISO 27001

ISO 27001 A.6.7: Remote working

What This Control Requires

Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.

In Plain Language

Remote work is the norm now, but it means your data is being accessed from kitchen tables, coffee shops, airport lounges, and co-working spaces - all outside the controlled environment of your office. The security risks are real and varied: unsecured home networks, shared living spaces where screens can be seen, personal devices, stolen laptops, and reduced visibility of what users are doing.

This control covers all forms of working outside the office - regular home-based work, occasional WFH, working while travelling, client sites, co-working spaces, and using mobile devices to access organisational information from anywhere.

The goal is not to make remote work difficult, but to make it safe. You need security measures that address the specific risks of each scenario while still letting people be productive.

How to Implement

Write a remote working security policy covering who is authorised to work remotely, what information can be accessed, the security requirements for remote environments, and which tools and technologies are approved for remote access.

Get the technical controls right. Require VPN connections for accessing internal networks. Enforce multi-factor authentication on all remote access without exception. Deploy EDR tools on every remote device. Mandate full-disk encryption on laptops and mobile devices. Use MDM for both company-owned and BYOD devices. Put cloud access security controls in place for cloud-based applications.

Set physical security expectations for remote environments. You cannot control someone's home the way you control an office, but you can instruct people to use a private workspace where screens are not visible to others, lock devices when stepping away, keep physical documents secure, use privacy screens in public spaces, avoid sensitive calls in public, and store equipment securely when not in use.

Address network security. Advise staff on securing home Wi-Fi (WPA3, strong passwords, updated firmware). Consider providing mobile hotspots as an alternative to untrusted networks. Be careful with split-tunneling policies and understand the security versus performance trade-offs. Block or restrict access from known-risky network locations.

Put data protection measures in place. Define what can be stored locally versus accessed only through remote sessions. Deploy DLP on remote endpoints. Restrict removable media use. Ensure you can remotely wipe organisational data from personal devices if needed. Provide clear guidance on printing sensitive documents at home, or restrict it entirely.

Sort out equipment and support. Decide whether you provide equipment or allow BYOD, and set minimum security standards for either. Make sure remote workers have clear channels to report security incidents and that IT support is accessible for security issues.

Evidence Your Auditor Will Request

Remote working security policy with defined rules and requirements
VPN and remote access configuration showing MFA enforcement
Endpoint security configuration for remote devices including encryption and EDR
MDM or endpoint management records showing compliance of remote devices
Training records showing personnel have been trained on remote working security

Common Mistakes

No formal remote working security policy despite widespread remote working
Remote access does not require multi-factor authentication
Endpoint encryption is not enforced on all remote devices
No guidance provided to personnel on securing their home working environment
BYOD devices are used without any management or security controls

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.1	Partial overlap
SOC 2	CC6.6	Related
GDPR	Art.32	Related
NIS2	Art.21(2)(a)	Partial overlap

Frequently Asked Questions

Should we provide separate equipment for remote working?

Company-provided equipment gives you far better control over security configurations and reduces risk significantly. If you allow BYOD, invest in strong MDM controls, require security baselines (encryption, endpoint protection, patching), and use containerisation or VDI to keep organisational and personal data separate. The right answer depends on your risk tolerance, budget, and the sensitivity of the data being accessed - but company-owned devices are almost always the safer choice.

How do we monitor security compliance for remote workers?

Use endpoint management tools to verify device compliance - encryption, patching, endpoint protection. Set up conditional access policies that check device health before granting access. Monitor VPN and remote access logs for anomalies. Run periodic self-assessment surveys for remote workers and include remote working security in your compliance audits. Just be mindful of the balance between monitoring and employee privacy - make sure you comply with employee monitoring laws in your jurisdiction.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment