How to Use ISO 27001 To Secure Data When Working Remotely

In the past, working from home was an option for freelancers and companies who were willing to cut operational costs and improve employee work-life balance. But COVID-19 has changed the way we work and forced many companies to adapt quickly and support remote working. They had to create a virtual work environment that allowed teleworking to be productive and keep their jobs safe, while also addressing the information security challenges of remote work.
With the help of the requirements of ISO 27001 for information security risk management, and the security controls of its Annex A, this task can become less complex and allow you to take full advantage of teleworking with the least risk.

ISO 27001 controls for remote working:
  • A 6.2.1 – Mobile device policy
  • A 6.2.2 – Teleworking
  • A 7.2.2 – Information security awareness, education and training

Remote working security challenges

Besides its many benefits, remote working has some challenges and information security risks. These include unauthorized access, breach of sensitive information, and modification or even destruction of data. Considering that employees are outside the organization’s environment, they will be using mobile devices for remote access from home or public networks, which may not have the best security controls. Insufficient information and communication policies, along with a lack of clearly defined procedures, can cause nightmares for companies, including financial loss and non-compliance with regulations such as the EU GDPR.

Which control of the ISO 27001 standard speaks about remote working?

An Information Security Management System based on ISO 27001 requirements and controls helps us to take precautions against these information security risks. ISO 27001 consists of 10 sections and reference control objectives and controls stated in Annex A of the standard. There is also another standard, ISO 27002, which is a code of practice for those controls.
ISO 27001 & remote work: How to ensure compliance?

Two of the controls from ISO 27001/ISO 27002 are dedicated to teleworking: A.6.2.1 Mobile device policy, and A.6.2.2 Teleworking.



Mobile device policy. Control A 6.2.1 states that a policy and supporting security measures must be adopted to manage security risks due to use of mobile devices:

  • The Mobile device policy should include physical protection of registered devices, malware protection, restriction of installation, update and patch management, access controls, and backups.
  • Organizations should consider cryptography and the use of secret authentication, such as passwords and PINs, to avoid unauthorized access.
  • In case a mobile device – especially one carrying sensitive information – is stolen or lost, it is best to apply remote lock or erasure procedures.

Teleworking. Control A 6.2.2 states that a policy that defines conditions and restrictions for teleworking should be issued by the organization:

  • This policy should focus on the protection of information accessed, processed, or stored at teleworking sites, considering regulations.
  • Organizations should provide suitable communication equipment, physical security, hardware, and software support to remote workers.
  • Rules set for the use of home and wireless networks, classification of information held, and authorization policies to access systems and services should also be considered.

Also, control A.7.2.2 states that all employees of the organization must have appropriate awareness and regularly updated training in order to ensure that policies and procedures are implemented correctly.

Applying ISO 27001 controls to teleworking

No matter what industry you work in, at some point your organization, or at least part of it, will start relying on telework. But, by exposing your infrastructure, systems, and information in this way, your organization needs to take precautions for the high risks involved.

First, devices or users that do not comply with mobile device and teleworking policies should not be allowed to connect. Therefore, organizations must define who may telework and have remote access to which systems and data.

Using a virtual private network (VPN) and 2-factor authentication will improve endpoint security. Scanning network traffic for unusual activities by using a network layer firewall and encrypting sensitive data and communication will enhance security. Continuous monitoring, penetration tests, and audits will help you detect your vulnerabilities and shift your information security strategy.

Data clearance based on the need-to-know principle will prevent intended or unintended compromise of data. This is best provided by restricting the access rights of remote workers only to those systems and information they require for their organizational roles.

To learn more about remote access in teleworking, please read this article: ISO 27001 remote access policy: How to develop it.

How to stay ISO 27001 compliant with remote workers

It is essential to create sustainable awareness and to stay ISO 27001-compliant with remote workers. ISO 27001 clause 7.2 and control A 7.2.2 put further emphasis on this aspect. A regular and updated training program on policies and procedures regarding teleworking is necessary. Awareness activities can be in any form, including meetings, web-based trainings, use of company intranet, and others. However, it is important to state management’s commitment to information security, the need to comply with information security controls, and remote workers’ accountability for their own actions. It is also essential to assess the understanding of participants after awareness-raising activities. To improve the security awareness of your remote workers, enroll in this free security awareness training – a series of easy-to-understand videos for any employee.

The following methods will also increase awareness and create a safer teleworking environment:

  • Composing awareness programs focusing on not only “what” and “how,” but also “why.”
  • Making sure passwords are difficult to crack and changed regularly.
  • Choosing tools with built-in security and providing virtual desktop access.
  • Implementing regular monitoring of networks and systems.
  • Reviewing authorization and access rights periodically – especially when a remote worker quits.
  • Setting rules for video conferencing – such as screen capturing and recording.
  • Keeping your systems updated and informing remote workers on these, or forcing automatic updates.
  • Developing a breach response or business continuity plan.
  • Don’t forget to check changes in regulations!

Secure remote work with ISO 27001

As we have seen, remote work increasingly becoming a part of work life has its advantages. On the other hand, it may cause many problems both for individuals and companies. For all, preference of applying ISO 27001 and its controls will help to switch to remote work easily. Work from home, but safely!

To learn more about remote work security challenges and how to address them with ISO 27001, download this free Checklist of cyber threats & safeguards when working from home.

Advisera Tolga Aktaş
Author
Tolga Aktaş

Tolga Aktaş has been working in various disciplines of management systems for more than 15 years. Tolga is an accredited lead auditor for the ISO 9001, 14001, 18295, 22301, 27001, 27701, 37001, and 55001 standards and has conducted audits as a freelancer for internationally accredited conformity assessment companies. He is also an accredited lead auditor trainer for ISO 22301, 27001, and 27701. He conducts workshops and webinars, and provides consultancy services on management systems to organizations mainly in Turkey, the UK, the EU, Qatar, UAE, Germany, and Japan. Tolga holds a Master of Business Administration degree.