Setting Up an ISO 27001-Compliant Remote Work Process

With the spread of more robust information and communication technologies, the possibility of remote work has become viable for a larger number of companies. However, allowing access to a company’s information systems from places and means of communication that it does not control brings risks that can make all the benefits of such practice unfeasible.

Companies should consider the use of good security practices from the beginning. In this article, we will present how ISO 27001, the leading ISO standard in information security, can be used by companies as a systemic basis for defining, implementing and maintaining a robust remote work structure.

Remote Work’s Main Security Challenges

From a company’s perspective, some of the most common information security challenges are:

  • Reduced security on devices used remotely: While at the office, companies have complete control of devices, defining secure physical and electronic layers. In remote work, employees often make use of personal devices and public networks.
  • Loss of data on remote devices: Lack of proper options for data backup and recovery on remote devices can increase the damage from a data loss incident.
  • Breach of legal requirements: Outside of the company’s environment, it is more difficult to ensure employees’ compliance with laws (e.g., GDPR) and contract clauses related to data protection.
  • Low engagement of remote employees with security practices: Less contact with remote employees can make them less likely to follow security practices.

And, while a quick search on the internet can provide several good solutions for how to deal with these challenges, the lack of a systemic approach can cause a company to spend beyond what is necessary for certain areas or leave critical areas without adequate protection over time.

ISO 27001 Approach

ISO 27001 is an international, certifiable standard that defines the requirements for the establishment, implementation, maintenance and continual improvement of an information security management system (ISMS), applicable to organizations of any size and industry.

In short, its approach can be described as follows:

  • Definition of basic ISMS structure (e.g., organizational context, requirements, scope, etc.).
  • Risk management (risk assessment and risk treatment).
  • Implementation of controls.
  • ISMS performance evaluation and improvement.

Even if a company is not interested in ISO 27001 certification, fulfilling all of the standard’s requirements is important to provide a sound basis for setting up a remote work process, as follows:

  • Definition of basic ISMS structure: Helps you clearly identify why remote work is important and which requirements it must fulfill beyond business needs (e.g., compliance with GDPR), as well as the objectives to be achieved.
  • Risk management: Helps you identify and prioritize the most relevant risks for your company related to remote work.
  • Implementation of controls: ISO 27001 Annex A provides a set of information security controls that can help companies built robust remote work.
  • ISMS performance evaluation and improvement: Over time, companies should verify if implemented practices are effective and, if not, make the proper adjustments.

ISO 27001 Risk Assessment and Treatment

The core of ISO 27001, the risk assessment and risk treatment process, basically covers:

  • Definition of methodology, so you can reach consistent, valid and comparable results through defined steps and criteria.
  • Risk assessment implementation, to identify relevant risks.
  • Risk treatment implementation, to define how to handle relevant risks (e.g., risk mitigation, risk transfer, risk avoidance and risk acceptance).
  • Creation of a Risk Report and Statement of Applicability, to document process results and summarize applicable controls and justifications (required by the standard).
  • Definition of the Risk Treatment Plan, to define exactly who is going to implement each control in which timeframe, with what budget, etc.

ISO 27001 Controls for Remote Work

Considering the previously mentioned challenges, the implementation of a robust remote work process considering controls from ISO 27001 Annex A would include:

Organizational aspects:
These basically refer to the rules and responsibilities related to remote work, such as who is eligible for remote work, under which conditions, what is allowable or not, etc. These are basically covered by the following controls: Mobile device policy (A.6.2.1), Teleworking (A.6.2.1), Information classification (A.8.2.1), Identification of applicable legislation and contractual requirements (A.18.1.1), and Intellectual property rights (A.18.1.2).

Technical aspects:
These refer to technological implementations to ensure not only the security of the user’s devices but also of the company’s data and infrastructure, such as its servers and applications. Here, there are a wide range of applicable controls, including Inventory of assets (A.8.1.1), Secure log-on procedures (A.9.4.2), Policy on the use of cryptographic controls (A.10.1.1), Information backup (A.12.3.1), and Segregation in networks (A.13.1.3).

Physical aspects:
These refer to the physical implementations to ensure the company’s assets related to remote work (e.g., a remote access server) are protected against physical risks. These are basically covered by controls form section A.11 (Physical and environmental security).

Human resources aspects:
These refer to the actions the company has to take to ensure its employees understand the importance of information security while remotely working and the consequences in case of information compromise. This is covered by the implementation of controls, including Terms and conditions of employment (A.7.1.2), Information security awareness, education and training (A.7.2.2), and Disciplinary process (A.7.2.3).

As you can see, ISO 27001 can help cover risks in a wide range of aspects related to remote work, and the selection of proper controls is based on the risk assessment and identification of legal requirements.

Remote Work With Acceptable Risks Is Possible

Remote work is a reality that is unlikely to be reversed. The availability of reliable technologies and the need to retain talent, as well as the occurrence of situations that prevent access to the main workplace (as we see today with the situation of COVID-19), will at least leave remote work as an alternative for companies to develop or continue their activities.

But remote work also has its risks, increasing the risk of vulnerabilities that can be exploited by malicious people. In this way, it is also necessary to approach remote work with a view toward security. For that, the ISO 27001 standard can prove to be a good basis for the protection of information.

This article was co-authored by Rhand Leal, an ISO 27001 expert working with Advisera and an author of many articles and white papers at Advisera. He holds a number of certifications, including ISO 27001, ISO 9001 Lead Auditor, CISSP, CISM and PMP. You can learn more about Rhand on his author page.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Dejan Kosutic

Dejan Kosutic is the Lead ISO 27001/ISO 22301 Expert at Advisera. He is an Approved Tutor for ISMS Lead Auditor courses at SGS, and holds a number of certifications, including Certified Management Consultant, ISO/IEC 27001 Lead Auditor, Associate Business Continuity Professional, and ISO 9001 Lead Auditor.

dejan-kosutic has 1 posts and counting.See all posts by dejan-kosutic