ISMS-DOC-A06-7-1 Remote Working Policy

Working Policy

Remote Working Policy

classification]

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document sets out the organization’s policy with respect to remote working.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

o A.5.1 Policies for information security

• A.6 People controls

o A.6.7 Remote working

• A.7 Physical controls

o A.7.9 Security of assets off premises

General guidance

This policy should tie in with your human resources policies regarding remote or home working. There may also be implications with current employment contracts that need to be reviewed. Remote working (or home working) can be a controversial subject and one which requires careful management with some organizations choosing not to allow it.

You may need to add additional detail to this document depending on your technical environment. You will also need to update it as technology changes.

Review frequency

We would recommend that this document is reviewed annually and upon significant change to the organization.

Remote Working Policy

classification]

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Remote Working Policy

classification]

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Working Policy

Remote

Policy

Remote Working Policy

classification]

Revision history

VERSION DATE REVISION AUTHOR SUMMARY OF CHANGES

Distribution

TITLE Approval

Remote Working Policy

classification]

1 Introduction

A remote working arrangement is a voluntary agreement between the organization and the employee. It usually involves the employee working from home in a separate area of their living accommodation, whether this is a house, apartment, or other type of domestic residence.

The introduction of a remote working arrangement, when managed effectively, has the potential to benefit both the individual and the organization. The individual will gain greater flexibility in working arrangements and possibly avoid a lengthy commute to and from an office. The organization can retain skilled and experienced staff whose circumstances suit teleworking and possibly save money on the rental, lease or purchase of office space.

This policy sets out the key information security related elements that must be considered in agreeing a remote working arrangement. It ensures that all the necessary issues are addressed and that the organization’s information assets are protected.

This policy does not address the human resources aspects of teleworking such as health and safety, absence monitoring, job performance and contractual issues. These will be handled by the HR department and must also be in place before the remote working arrangement begins.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

Access Control Policy

Mobile Device Policy

User Access Management Process

Cryptographic Policy

Remote Working Policy

classification]

2 Putting a remote working arrangement in place

From an information security point of view there are various aspects that need to be considered in each remote working arrangement and the policy of the organization in these areas is set out in the following sections.

2.1 Initial risk assessment

Before a remote working arrangement can commence there will be an initial risk assessment of the proposed environment and nature of the work to be carried out.

2.1.1 Nature of the work

A major part of the risk assessment concerns the type of activities that are to be carried out as part of the arrangement. A full understanding needs to be gained of:

• The classification of the information that will be stored and processed as part of the role

• The method of access of the information

• Whether the role requires that classified information is printed locally

• The business criticality of the role and the consequences if it were unavailable

2.1.2 Physical security

The risk assessment will also consider the physical security of the proposed work location:

• Is there enough room to house the required equipment safely?

• Is it in a separate area of the living accommodation?

• Can the work area be secured e.g. via a locked door when not in use?

• Who else has access to the work area?

• Will the equipment be visible from outside the accommodation e.g. through a window?

• What is the likelihood of theft in the surrounding area?

• Can paper documents be locked away securely?

• Is there adequate and reliable power supply to the work area?

Remote Working Policy

classification]

2.1.3 Insurance

The impact of remote working on the individual’s home insurance must be investigated to ensure that any policies currently in place remain valid. Additional insurance may be required and if so, it should be agreed in advance how this will be funded.

2.2 Facilities provided

The organization’s policy regarding the provision of facilities to enable remote working is detailed below.

Note that all of the provisions in the [Organization Name] Mobile Device Policy also apply to the remote working environment and this document must be read and understood by all parties involved.

2.2.1 Equipment

Only client equipment provided by [Organization Name] for the purpose of remote working must be used to access company networks. The individual’s own devices such as laptops or PCs must not be used for this purpose.

According to requirements, the remote worker may be provided with:

• A laptop, tablet or desktop PC with keyboard and mouse

• A printer

• Desk and chair

• Secure storage e.g. drawers or a cupboard

• Other items as required for the role

This equipment always remains the property of the organization.

2.2.2 Communications

In addition to client equipment the remote worker will, wherever possible, be provided with a physically separate communications link which is not connected in any way to existing domestic broadband or similar. This is to ensure that:

• Network performance is not affected by other activities in the household

• The configuration of the router can be security hardened according to organization policy

• The ability for other devices to connect to this link can be prevented through the protection of network keys etc.

Remote Working Policy

classification]

A Virtual Private Network (VPN) will be used to ensure that all network traffic from the remote worker client to organization servers is encrypted to organization standards.

Where public cloud services are accessed directly by the remote worker, appropriate end to end encryption must be in place, in accordance with the Cryptographic Policy.

2.2.3 Backup and virus protection

Where possible, no data will be stored on the client machine. If this is unavoidable it is the responsibility of the remote worker to ensure it is backed up to the corporate network as soon as possible.

Virus protection will be provided on all relevant equipment and configured to update automatically on connection to the corporate network.

2.2.4 Technical support

Technical support of all supplied equipment will be provided by the [IT Support Desk]

2.3 Agreement termination

If the remote working agreement is terminated for any reason, all equipment that was supplied as part of the arrangement must be returned to the [IT Support Desk] as soon as possible.