Skip to main content
← All controls
A.6.7 / AC-17 / CIS-12.7 ISO/IEC 27001:2022 Annex A ISO 27001

A.6.7 — Is remote working covered by a documented policy, technical controls and training? (NEW in 2022)

Demonstrate that the organization has implemented and maintains a complete remote working security program comprising documented policies, enforced technical safeguards, and delivered training that collectively protect organizational assets accessed from remote locations.

Description

What this control does

This control requires organizations to establish and maintain a comprehensive remote working security framework consisting of three pillars: a documented policy defining requirements and responsibilities, technical controls (VPN, endpoint security, MFA, encryption) enforcing those requirements, and training programs ensuring remote workers understand secure practices. The policy must address acceptable use, device management, data handling, physical security of remote workspaces, and incident reporting procedures. This control recognizes the expanded attack surface and reduced physical security oversight inherent in remote work arrangements, requiring a coordinated approach across governance, technology, and human factors.

Control objective

What auditing this proves

Demonstrate that the organization has implemented and maintains a complete remote working security program comprising documented policies, enforced technical safeguards, and delivered training that collectively protect organizational assets accessed from remote locations.

Associated risks

Risks this control addresses

  • Unauthorized access to corporate resources via unsecured home networks or public Wi-Fi without adequate encryption or VPN protection
  • Data exfiltration or loss through unmanaged personal devices lacking endpoint protection, disk encryption, or mobile device management controls
  • Credential theft via phishing or man-in-the-middle attacks targeting remote workers who lack awareness of threats specific to remote environments
  • Shoulder-surfing or visual eavesdropping in public spaces or shared home environments where remote workers handle sensitive information
  • Compromise of unpatched or misconfigured remote endpoints that lack centralized security monitoring and vulnerability management
  • Policy violations due to remote workers' lack of awareness regarding acceptable use, data classification handling, or incident reporting procedures
  • Insider threat exploitation where remote workers bypass security controls due to inadequate technical enforcement or audit logging of remote activities

Testing procedure

How an auditor verifies this control

  1. Obtain and review the current remote working policy document, verifying it includes sections addressing acceptable use, device requirements, network security, data handling, physical security, and incident response procedures specific to remote work scenarios.
  2. Interview HR and security teams to confirm the policy approval date, distribution methods, and acknowledgment tracking mechanisms for remote workers.
  3. Select a sample of 15-20 active remote workers across departments and review their policy acknowledgment records and training completion status.
  4. Inventory technical controls deployed for remote access including VPN configurations, endpoint security solutions, MFA implementations, and data loss prevention tools, documenting version numbers and coverage scope.
  5. Test remote access authentication by simulating connection attempts, verifying MFA enforcement, session timeout configurations, and network segmentation for remote users.
  6. Review endpoint compliance reports for the sampled remote workers, checking for encryption status, patch levels, antivirus definitions, and mobile device management enrollment where applicable.
  7. Examine training materials and delivery records specific to remote working security, verifying content covers phishing awareness, secure home network setup, physical security practices, and policy requirements.
  8. Review security monitoring logs for remote access sessions over a 30-day period, verifying logging completeness, anomaly detection capabilities, and incident response procedures for remote worker security events.
Evidence required Collect the remote working policy document with version control history and approval signatures; screenshots of VPN configurations showing encryption protocols, MFA settings, and access control lists; endpoint compliance reports showing encryption status, antivirus deployment, and patch levels for sampled users; training materials including slide decks, videos, or e-learning modules covering remote work security; training completion records and policy acknowledgment forms for sampled employees; security monitoring dashboards or SIEM exports showing remote access logging and alert configurations; technical architecture diagrams illustrating remote access infrastructure including VPN gateways, authentication servers, and segmentation boundaries.
Pass criteria The control passes when a documented, approved remote working policy exists and has been acknowledged by sampled remote workers; technical controls including VPN, MFA, endpoint security, and encryption are demonstrably deployed and enforced for remote access; and remote working security training has been delivered to and completed by sampled personnel within the past 12 months.