- See ISO 27002:2022 Control 6.7 for more information.
- See ISO 27001:2013 Annex A 6.2.2 for more information.
What is ISO 27001:2022 Annex A 6.7?
ISO 27001:2022 Annex A 6.7, Remote Working provides guidance on how organisations should have a policy in place to ensure secure access to information systems and networks when working remotely. It further recommends the implementation of an information security management system that includes procedures for protecting remote access.
Information Security Implications of Remote Working
Remote working has become a more widespread trend, as technology has advanced to enable employees to work remotely without affecting productivity and efficiency. Nonetheless, this comes with the potential for data security concerns.
Being a business owner, it is necessary to protect intellectual property from cyber criminals and ensure the safety of data against hackers. Taking action, one can guard against cyber-crime and guarantee the security of information.
Remote working can present a range of security risks that need to be addressed, such as:
Access Control
Remote working can be beneficial, providing greater access to confidential data and systems. Nevertheless, it does come with several security considerations.
Remote working, if not overseen correctly, can be vulnerable to security issues such as hacking, malware, unauthorised access and more. This is particularly the case if employees are not present in a secure setting.
Loss of Physical Security
Remote working can also have an effect on a business’s physical security. As staff are no longer present in the office or a building, they may not be able to detect any suspicious activities.
Confidentiality
Remote working can pose a risk to confidentiality. For instance, employees may access confidential information without permission from the company.
Employees can readily gain access to confidential corporate data from the public web. Moreover, there are even sites where staff can upload confidential data for public viewing.
Privacy
Remote working can have an effect on the privacy of an organisation. For instance, if personnel are working from home, they could be more prone to not putting away their personal belongings.
This property might hold confidential data that could jeopardise a firm’s privacy.
Data Protection
Remote working can present a danger to a business’s data. Employees can, for instance, gain access to company information remotely, and this data can be stored in multiple locations.
In the case of employees leaving the workplace and taking their device with them, retrieval of data stored on computers, servers and mobile devices may prove more challenging.
The worker may err or act in bad faith with the device, risking the security of the data.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is the Purpose of ISO 27001:2022 Annex A 6.7?
The aim of ISO 27001:2022 Annex A 6.7 is to guarantee remote personnel have the necessary access controls in place to safeguard the confidentiality, integrity and availability of confidential or proprietary information, procedures and systems from unauthorised access or disclosure by unauthorised persons.
Organisations must ensure the security of information when personnel are operating remotely. Thus, they should issue a tailored policy regarding remote working that lays out the applicable conditions and limits for data security. This policy should be disseminated to all personnel, including instruction on how to utilise remote access technologies securely and safely.
This policy is likely to address:
- The conditions under which remote working is allowed.
- Processes for ensuring remote workers have access to confidential information.
- Ensuring information is safeguarded when transmitted between different physical locations entails adhering to certain procedures.
It is essential to establish a clear system for reporting incidents, including the right contact info. This can help to prevent security breaches or other incidents.
The policy should also cover encryption, firewalls, antivirus software updates and employee instruction on how to securely utilise remote connections.
What Is Involved and How to Meet the Requirements
In order to comply with Annex A 6.7, organisations offering remote work should issue a policy regarding remote working which specifies the related regulations and limits.
The policy should be assessed periodically, especially when technology or legislation alters.
All personnel, contractors and entities involved in remote working activities should be apprised of the policy.
The policy should be documented, made accessible to stakeholders, such as regulators and auditors, and kept up to date.
Organisations must make sure they have the necessary safeguards to secure sensitive or confidential info transmitted or stored electronically during remote operations.
In accordance with Annex A 6.7, the following should be taken into account:
- Consider the physical security of the remote working site, both existing and proposed, encompassing the safety of the locale, the surrounding area, and the legal systems of the regions in which staff are based.
- Secure physical environment rules, such as lockable filing cabinets, secure transport between sites, remote access regulations, clear desk, printing and disposing of data and related assets, as well as reporting on security events, must be implemented.
- The anticipated physical environments for remote working.
- Secure communications must be ensured, taking into account remote access needs of the organisation, the sensitivity of the data transferred, and the vulnerability of the systems and applications.
- Remote access, such as virtual desktop access, enables processing and storage of information on personal devices.
- The danger of unauthorised access to data or assets from individuals outside the remote workspace – such as relatives and friends – is real.
- The risk of unauthorised access to data or assets by people in public areas is a concern.
- The employment of both home and public networks, as well as rules or prohibitions related to the setup of wireless network services, is necessary.
- Employing security measures, like firewalls and anti-malware protection, is essential.
- Ensure systems can be deployed and initiated remotely with secure protocols.
- Secure authentication mechanisms must be enabled to grant access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is authorised.
Guidelines and measures to be taken into account should include:
- The organisation must supply suitable equipment and storage furniture for remote working activities, forbidding the use of privately-owned equipment not under its control.
- This job involves the following: defining the work permitted, classifying the info that can be held, and authorising remote workers to access internal systems and services.
- Training should be provided for those working remotely and those offering support. This should cover how to securely conduct business outside the office.
- Ensuring that suitable communication equipment is provided, such as requiring device screen locks and inactivity timers for remote access, is essential.
- Enabling device location tracking is possible.
- The installation of remote wipe capabilities is a must.
- Physical security.
- Guidelines and rules regarding family and visitor access to equipment and data must be followed.
- The business provides hardware and software support and maintenance.
- The provision of insurance.
- The protocol for data backup and continuity of operations.
- Audit and security monitoring.
- Upon termination of remote working activities, authority and access rights must be revoked and all equipment be returned.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 6.7 is an adaptation of Annex A 6.2.2 from ISO 27001:2013 and not a new element.
ISO 27001:2022 Annex A 6.7 and 6.2.2 share many similarities, though the nomenclature and wording differ. In ISO 27001:2013, 6.2.2 is referred to as teleworking, while 6.7 is known as remote working. This change is reflected in the new version of the standard, which replaces teleworking with remote working.
In Annex A 6.7 of ISO 27001:2022, the standard outlines what qualifies as remote working, including teleworking – the initial control name in the ISO 27001:2013 version.
Version 2022 of the implementation guidelines are largely similar, although the language and terms differ. To guarantee users of the standard comprehend, user-friendly language is employed.
Some additions were made in Annex A 6.7, and some deletions occurred in 6.2.2.
Added to ISO 27001:2022 Annex A 6.7 Remote Working
- Ensure physical security with lockable filing cabinets, provide secure transportation and access instructions, mandate clear desk policies, outline print/disposal protocols for info/assets, and implement an incident response system.
- It is anticipated that people will be working remotely. Physical circumstances are expected.
- The risk of unauthorised access to information or resources from strangers in public areas.
- Secure methods for remote deployment and setup of systems.
- Secure mechanisms are in place to authenticate and allow access privileges, taking into account the susceptibility of single-factor authentication mechanisms when remote access to the organisation’s network is enabled.
Removed From ISO 27001:2013 Annex A 6.2.2 Teleworking
- The implementation of home networks and the regulations or limitations on configuring wireless network services are necessary.
- Policies and procedures to mitigate disputes regarding rights to intellectual property developed on privately owned equipment should be instituted.
- Gaining access to privately owned machinery (to ensure its safety or for investigative purposes) may be prohibited by law.
- Organisations may be responsible for software licensing on workstations that are privately owned by either their staff or external users.
ISO 27001:2022 gives statements of purpose and attribute tables for each control, aiding users to comprehend and put into practice the controls more effectively.
The ISO 27001:2013 version lacks these two components.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Who Is in Charge of This Process?
The primary duty of devising an information security policy for remote employees lies with the organisation’s information security officer. Nevertheless, other stakeholders should also be involved in the process.
IT and HR managers are jointly responsible for ensuring that the policy is implemented and maintained, and that employees comprehend and abide by it.
If you have a vendor management program, then it is likely the individual responsible for managing contractors and vendors will be responsible for forming a security policy for external workers in that department.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Do These Changes Mean for You?
ISO 27001:2022 remains largely unchanged; thus, you simply need to ensure that your information security processes comply with the new release.
Altering some controls and clarifying certain requirements was the main change. Annex A 6.7 had the most significant effect – if you outsource operations or employ people remotely, you must make sure that they have suitable security measures.
If your organisation already holds an ISO 27001 certification, the process you employ to manage information security will satisfy the new regulations.
If you’re seeking to renew your ISO 27001 certification, you don’t need to take any action. Only ensure that your procedures still accord with the new standard.
If you are starting from the beginning, it is necessary to consider how to safeguard your company’s data and information against cyber attacks and other risks.
It is essential to take cyber risks seriously and manage them as part of the overall business plan, rather than only regarding them as a problem for IT or security departments.
How ISMS.online Help
The ISMS.online platform assists with every facet of ISO 27001:2022 implementation, from carrying out risk assessment activities to designing policies, procedures, and directives to satisfy the standard’s specifications.
ISMS.online provides a platform for documenting and sharing findings with colleagues. Furthermore, it enables you to generate and store checklists of all needed tasks for ISO 27001 implementation, allowing you to monitor your organisation’s security measures conveniently.
We provides organisations with a set of automated tools to make demonstrating compliance with ISO 27001 straightforward.
Contact us now to book a demonstration.
