What does “ISO 27001 A.6.7: remote work” require from your organization?

A.6.7 requires organizations to take measures to securely access information outside the office. This also applies to working from home, flexible working, teleworking or working from a coffee shop (remote). Think about:

‍

🛡️ Technique that helps

• Use a VPN or virtual desktop environment
• Mandatory 2FA (Two-Factor Authentication)
• Don't store files locally on private devices
• Protect devices with firewall, anti-malware, and endpoint protection (EDR)

‍

📱 Device Management

• Use Mobile Device Management (MDM) for central control
• Enable automatic screen lock and inactivity timers
• Encrypt laptops with BitLocker or FileVault
• Make sure you can remotely wipe or block devices in case of theft

‍

🏠 Physical home office

• Don't leave documents lying around
• Use lockable cabinets
• Restrict access for roommates or visitors

‍

📘 Organizational policy

• Set up a clear “remote work policy”
• Control who has access to what
• Provide an incident procedure
• Train employees to work safely remotely

‍

🧠 Awareness

Even with the best tools, things go wrong when employees don't know what they shouldn't do. For example:

• Share a file with a personal Google Drive account
• Working on the family laptop “because business is slow”
• Forget to lock the screen with roommates in the neighborhood

‍

Awareness is not a one-off training, but something you should keep alive:

• Short microlearnings (Guardey) or e-learning modules
• Campaigns around current threats (such as phishing)
• Concrete rules of conduct: “No work via public Wi-Fi without a VPN”

‍

Make it safe and workable

No one is waiting for redundant rules or difficult hassles. Fortunately, working safely remotely doesn't have to be complicated. A well-designed system makes it easy and safe for employees to do their work. Think about:

‍

✔️ Automatic screen lock

‍

For example, if an employee gets a coffee, the screen locks automatically after 5 minutes. This prevents someone else from secretly watching.

‍

✔️ Central logging and monitoring

‍

For example, if someone logs in from abroad at 3:00 a.m., IT automatically gets a notification. In this way, suspicious actions can be investigated quickly.

‍

✔️ Can remotely wipe devices in case of loss

‍

For example, if an employee loses their laptop on the train, IT can remotely wipe the device. This way, company data remains protected.

‍

✔️ Regular awareness training courses

‍

For example, employees receive short training and a phishing test every quarter. This way, they stay alert to digital threats.

‍

✔️ Working with pre-approved tools and storage locations

‍

For example, files may only be stored in OneDrive or SharePoint. Tools like Dropbox or USB sticks are blocked.

‍

What can you do now?

✅ Establish a Remote Work Security Policy

✅ Let your employees know what they can and cannot do

✅ Use technical tools to restrict and monitor access

‍

Do you want advice about this or take a look at your policy? Schedule an informal consultation, we are happy to think along with you!

‍