Remote Working Policy
ISO/IEC 27001 Toolkit: Version 13
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document sets out the organization’s policy with respect to remote working.
Areas of the standard addressed
The following areas of the ISO/IEC 27001 standard are addressed by this document:
• A.5 Organizational controls
o A.5.1 Policies for information security
• A.6 People controls
o A.6.7 Remote working
• A.7 Physical controls
o A.7.9 Security of assets off-premises
General guidance
This policy should tie in with your human resources policies regarding remote or home working. There may also be implications with current employment contracts that need to be reviewed. Remote working (or home working) can be a controversial subject and one which requires careful management with some organizations choosing not to allow it.
You may need to add additional detail to this document depending on your technical environment. You will also need to update it as technology changes.
Review frequency
We would recommend that this document is reviewed annually and upon significant change to the organization.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Remote Working Policy [Insert classification]
Remote Working Policy
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF ISMS-DOC-A06-7-1
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
Revision history
Distribution
Approval
1 Introduction
A remote working arrangement is a voluntary agreement between the organization and the employee. It usually involves the employee working from home in a separate area of their living accommodation, whether this is a house, apartment, or other type of domestic residence.
The introduction of a remote working arrangement, when managed effectively, has the potential to benefit both the individual and the organization. The individual will gain greater flexibility in working arrangements and possibly avoid a lengthy commute to and from an office. The organization can retain skilled and experienced staff whose circumstances suit remote working and possibly save money on the rental, lease or purchase of office space.
This policy sets out the key information security-related elements that must be considered in agreeing a remote working arrangement. It ensures that all the necessary issues are addressed and that the organization’s information assets are protected.
This policy does not address the human resources aspects of remote working such as health and safety, absence monitoring, job performance and contractual issues. These will be handled by the HR department and must also be in place before the remote working arrangement begins.
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The intended audience for this policy is management and employees involved in setting up and maintaining a remote working site [Organization Name].
Failure to comply with the contents of this policy may result in disciplinary action being taken by [Organization Name] against the individual(s) concerned.
Terms used in this policy are defined as follows:
• Information security means the processes and methodologies designed to protect data whether in transit, processing, or storage from unauthorized access, use, disclosure, disruption, modification, or destruction, ensuring confidentiality, integrity, and availability of information.
• Risk assessment is a process used to identify, analyse, and evaluate risks associated with a specific activity, process, or situation.
• Information classification is the process of categorizing data within an organization based on its level of sensitivity and the impact to the organization should that data be disclosed, altered, or destroyed.
• Virtual Private Network (VPN) is a technology that creates a safe and encrypted connection over a less secure network, such as the internet.
The following ISMS documents and external references are relevant to this document:
• Access Control Policy
• Mobile Device Policy
• User Access Management Process
• Cryptographic Policy
2 Putting a remote working arrangement in place
From an information security point of view there are various aspects that need to be considered in each remote working arrangement and the policy of the organization in these areas is set out in the following sections.
2.1 Initial risk assessment
Before a remote working arrangement can commence there will be an initial risk assessment of the proposed environment and nature of the work to be carried out.
2.1.1 Nature of the work
A major part of the risk assessment concerns the type of activities that are to be carried out as part of the arrangement. A full understanding needs to be gained of:
• The classification of the information that will be stored and processed as part of the role
• The method of access of the information
• Whether the role requires that classified information is printed locally
• The business criticality of the role and the consequences if it were unavailable
2.1.2 Physical security
The risk assessment will also consider the physical security of the proposed work location:
• Is there enough room to house the required equipment safely?
• Is it in a separate area of the living accommodation?
• Can the work area be secured e.g. via a locked door when not in use?
• Who else has access to the work area?
• Will the equipment be visible from outside the accommodation e.g. through a window?
• What is the likelihood of theft in the surrounding area?
• Can paper documents be locked away securely?
• Is there adequate and reliable power supply to the work area?
2.1.3 Insurance
The impact of remote working on the individual’s home insurance must be investigated to ensure that any policies currently in place remain valid. Additional insurance may be required and if so, it should be agreed in advance how this will be funded.
2.2 Facilities provided
The organization’s policy regarding the provision of facilities to enable remote working is detailed below.
Note that all of the provisions in the [Organization Name] Mobile Device Policy also apply to the remote working environment and this document must be read and understood by all parties involved.
2.2.1 Equipment
Only client equipment provided by [Organization Name] for the purpose of remote working must be used to access company networks. The individual’s own devices such as laptops or PCs must not be used for this purpose.
According to requirements, the remote worker may be provided with:
• A laptop, tablet or desktop PC with keyboard and mouse
• A printer
• Desk and chair
• Secure storage e.g. drawers or a cupboard
• Other items as required for the role
This equipment always remains the property of the organization.
2.2.2
Communications
In addition to client equipment the remote worker will, wherever possible, be provided with a physically separate communications link which is not connected in any way to existing domestic broadband or similar. This is to ensure that:
• Network performance is not affected by other activities in the household
• The configuration of the router can be security-hardened according to organization policy
• The ability for other devices to connect to this link can be prevented through the protection of network keys etc.
A Virtual Private Network (VPN) will be used to ensure that all network traffic from the remote worker client to organization servers is encrypted to organization standards.
Where public cloud services are accessed directly by the remote worker, appropriate endto-end encryption must be in place, in accordance with the Cryptographic Policy.
2.2.3 Backup and virus protection
Where possible, no data will be stored on the client machine. If this is unavoidable it is the responsibility of the remote worker to ensure it is backed up to the corporate network as soon as possible.
Virus protection will be provided on all relevant equipment and configured to update automatically on connection to the corporate network.
2.2.4
Technical support
Technical support of all supplied equipment will be provided by the [IT Support Desk]
2.3 Agreement termination
If the remote working agreement is terminated for any reason, all equipment that was supplied as part of the arrangement must be returned to the [IT Support Desk] as soon as possible.