There are many challenges when applying ISO 27001 to remote working. But it is something that every company must consider, especially as flexible home working is an increasingly common option. For some companies, workers are rarely in the office- they could be on site for long periods of time in the UK or, as in many cases, abroad too.
Under ISO 27001, all of the remote working situations will need to be considered and catered for. But what does your remote working policy need to consider?
This is by no means an exhaustive list and, of course, they won’t all relate to your business but you may need to consider;
- The physical security of your staff as they work away from the main site – this is not just about location but the surrounding environment, equipment and so on.
- Security of login details – staff need to be made aware as part of their ISO 27001 training of the need for complete confidentiality and security of login details such as passwords for emails and so on.
- Remind staff that company policies and procedures remain in place no matter where or how they work – the company policies that guide actions and responses are just as pertinent when a worker completes their daily tasks remotely as they are on site. For example, they should only access the company’s online systems when it is work-related and not for any other reason.
- Systems must be in place to combat unauthorised remote access – as an organisation, it makes perfect business sense to encourage and accommodate remote working but it isn’t without its security issues. These can be combatted but it does mean looking at the digital infrastructure and strengthening online security procedures too.
- Define levels of confidentiality – often used as a blanket term, in the case of remote working and ISO information security, defining levels of sensitivity of confidential information is useful. For example, highly confidential pieces could be ‘classified’ meaning a higher level of login is required both on and off site.
- Encryption statement and processes – when remote workers transmit data back to base, how secure is the connection and the process? Encryption places another layer of protection on data and would be an expected part of ISO 27001.
- Defining levels of access – blanket access to online systems for all employees means that some people can access information that they don’t need. Limiting access by introducing levels relating directly to the confidentiality of information is considered good practice.
- Logging access – logging access to networks is not just about monitoring correct use but traceability in the event of an incident.
Accessing information in the field, whether that is during home working sessions or whilst on-site at a project, is an important consideration for your staff to be able to continue being as productive as possible.
ISO 27001 is a standard that supports this, rather than placing obstacles in the way of modern business practices.
How can we help you?
If you’re in need of assistance with any aspect of ISO certification, here at Synergos we’d be delighted to help. Whether you have questions about the path to certification or are looking for advice and support to maintain an existing standard call 01484 666160 or email email@example.com and we’ll be happy to talk it over with you.