Blog
sprinto angle right
ISO 27001
sprinto angle right
How to Create an ISO 27001 Remote Working Policy That Passes Audit

How to Create an ISO 27001 Remote Working Policy That Passes Audit

TL;DR

An ISO 27001 remote work policy outlines how your organization protects sensitive information when employees work outside the office and links remote work controls to the broader Information Security Management System (ISMS).
ISO 27001:2022 Annex A.6.7 requires organizations to manage remote-work risks through appropriate security measures, including secure access, encrypted communication, device security, data handling, backups, and secure information disposal.
A compliant remote work policy should define scope, purpose, roles and responsibilities, access control, acceptable use, endpoint security, incident reporting, backup and recovery, and employee obligations in a way that auditors can review via the Statement of Applicability.
To operationalize the policy, teams should apply least privilege, enable multi-factor authentication (MFA), standardize device controls, monitor remote activity, train employees, and follow structured processes for offboarding, backup, and disposal.

Securing endpoints and enforcing consistent policies across a hybrid or remote workforce remains one of the toughest challenges for security and compliance teams. With employees working across varied locations, devices, and networks, the risk surface expands fast, and without clear guardrails, compliance falls apart.

Annex A.6.7 of ISO 27001:2022 directly addresses this complexity by requiring organizations to define and enforce security controls for remote work.

This blog walks through what Annex A.6.7 requires and how to build an ISO 27001 remote working policy that is practical, enforceable, and audit-ready.

What is the ISO 27001 Remote Working Policy?

The ISO 27001 Remote Working policy is a formal document that outlines how an organization protects sensitive information when employees work outside the office, including from home, co-working spaces, or while on public networks. It sits inside the broader Information Security Management System (ISMS) that ISO 27001 expects organizations to maintain, so the remote-work controls inherit the same risk-assessment, evidence, and review cycles the rest of the ISMS already runs on.

In ISO 27001:2022, this is addressed under Annex A.6.7 (remote working), which requires organizations to implement appropriate security measures to mitigate risks specific to remote work. This includes guidance on device use, secure connections, access control, and employee responsibilities.

ISO 27001 Remote Working Policy Requirements

Under Annex A.6.7 of ISO 27001:2022, organizations are required to assess and control risks tied to remote work. That means defining how employees work remotely, what systems they use, and how data is accessed, stored, transmitted, and protected. The ISO 27001 Statement of Applicability is where each Annex A control like A.6.7 gets formally documented as applicable or excluded, with the justification, control owner, and implementation status that auditors review during certification.

To comply, organizations must implement the following requirements:

1. Remote Access Authorization

Remote access should only be given to employees who need it for their job. It must be approved by the right person, documented properly, reviewed regularly, and removed if the employee changes roles or leaves the company. 

2. Use of Secure Communication Channels

All remote work must occur over encrypted communication channels such as VPNs or TLS-enabled platforms. Employees must be prohibited from accessing company systems through open or public Wi-Fi unless protective controls like VPN tunnels are active. The ISO 27001:2022 strengthened expectations around cryptographic and network-security controls in Annex A.8, so the VPN and TLS-enabled platforms used for remote work now need to be documented at the same level of rigor as office-network controls.

3. Multi-Factor Authentication (MFA)

Access to company systems from remote locations must be protected by MFA ie. combining at least two distinct authentication factors. This reduces the risk of credential theft and is mandatory to access systems containing sensitive or personal data. 

4. Device Security Controls

Only company-approved or MDM-registered devices may be used for remote work. Devices must have full-disk encryption, real-time malware protection, and automated patch management enabled to prevent vulnerabilities from being exploited. 

5. Data Storage Restrictions

Remote users must not store sensitive data locally on devices unless explicitly authorized. If local storage is required for business continuity, strict encryption and access controls must be applied, and the data must be synced with secure cloud backups.

6. Data Backup

Data handled during remote work must be regularly backed up to secure, organization-approved locations. Backups must be encrypted during storage and transit, and periodic restore tests should be conducted to ensure data integrity and recoverability.

7. Secure Information Disposal

When data is no longer needed, it must be securely disposed of. Digital files should be permanently deleted using secure deletion tools, and physical documents must be shredded or destroyed. If a device is offboarded or lost, it should be remotely wiped whenever possible.

Ready to make remote work ISO 27001-compliant?

Objectives of the Iso 27001 Remote Work Policy

The following objectives define what the Remote Working Policy aims to achieve. They provide the foundation for managing remote work securely and in alignment with ISO 27001:

1. Protect the Confidentiality, Integrity, and Availability (CIA) of Data

A remote working policy ensures that sensitive company and customer data is not exposed, tampered with, or lost due to insecure remote work practices. This includes protecting information across devices, networks, cloud systems, and communication tools, regardless of employees’ location.

2. Minimize Information Security Risks

Remote environments introduce risks that don’t exist in controlled office settings, including unsecured networks, personal devices, and distractions. A remote working policy identifies these risks and implements technical, procedural, and physical controls to reduce the attack surface.

3. Establish Clear, Enforceable Remote Work Guidelines

The policy defines what is allowed, what is prohibited, and what is mandatory when working remotely. This includes device usage, software restrictions, secure communication methods, and data handling rules, all documented in a way that’s auditable and easy for employees to follow.

4. Promote Security Awareness and Accountability

The policy makes employees active participants in maintaining security by training them on threats like phishing, data mishandling, and physical device theft. It ensures they understand their responsibilities and the consequences of non-compliance.

Core Components of ISO 27001 Remote Working Policy

An ISO 27001-compliant remote working policy must include clearly defined and enforceable components that reduce risk and support audit-readiness. Listed below are the essential elements every policy should cover:

1. Scope and Purpose

This section defines who the policy applies to, including full-time employees, contractors, and third-party service providers. It also outlines its purpose, which is safeguarding organizational information assets during remote work. 

2. Roles and Responsibilities

This component outlines the responsibilities of various stakeholders, such as IT, HR, management, and individual employees, in implementing, supporting, and complying with the policy. It clarifies who is accountable for which aspects of remote work security. 

3. Access Control Guidelines

This part describes how remote access to organizational systems is granted, authenticated, and monitored. It includes details such as multi-factor authentication, role-based access, and periodic review of access privileges. A separate ISO 27001 logging and monitoring policy defines what those monitoring activities actually capture, including authentication events, privileged-action logs, and the retention periods auditors will expect to see when reviewing remote-access oversight.

4. Device and Endpoint Security

This section covers requirements for securing the devices used in remote work. It includes controls such as disk encryption, antivirus software, automated updates, and the use of Mobile Device Management (MDM) for centralized oversight.

5. Network and Communication Security

This component outlines how communication between remote devices and company systems should be secured. It addresses the use of VPNs, secure protocols (like TLS), and restrictions on using public or unsecured networks. 

6. Data Protection and Handling

This section describes how sensitive data should be accessed, stored, and transferred in a remote work context. It includes encryption standards, approved tools for file sharing, and limits on local data storage. 

7. Disposal of Information

This component defines how to securely dispose of information no longer needed. It includes procedures for permanent deletion of digital files using secure wipe tools and physical destruction of paper-based materials. 

8. Physical Security Measures

This section addresses the physical safeguards employees are expected to maintain in their remote workspaces. It includes secure storage of devices and documents, use of screen locks, and avoidance of working in public spaces when handling sensitive information. 

9. Acceptable Use Policy

This part provides guidance on the appropriate use of organizational systems and data during remote work. It includes restrictions on unauthorized applications, personal cloud storage, and removable media. 

10. Backup and Recovery

This component explains how data generated or modified during remote work should be backed up. It also outlines expectations for recovery processes in the event of data loss or system failure.

11. Incident Reporting

This section describes the procedure remote workers should follow if they detect or suspect a security incident. It includes reporting channels, response timelines, and escalation paths. 

12. Policy Acknowledgment and Training

This component ensures that remote employees are trained on the policy and related security practices. It also includes the process for formally acknowledging receipt and understanding of the policy. 

A Step-by-step Guide to Remote Work Risk Assessment

This step-by-step process aligns with ISO 27001’s risk management approach and ensures remote work environments are systematically secured, monitored, and kept audit-ready.

  1. Define Scope

    Outline which parts of the organization are included in the remote work risk assessment. This includes identifying applicable business units, job roles, locations, and types of remote work arrangements, such as full-time remote employees, hybrid workers, and contractors.

  2. Identify Remote Work Assets

    Develop a complete inventory of all assets involved in remote work — including endpoints (laptops, smartphones), collaboration tools (e.g., Slack, Zoom), cloud services (e.g., M365, Google Workspace), and network infrastructure (e.g., home routers, VPN clients).

    Use device management platforms, access logs, and employee self-declarations to surface managed and unmanaged assets, including shadow IT or personal devices used under BYOD. 

  3. Identify Threats and Vulnerabilities

    For each remote work asset identified, evaluate the relevant threats uch as phishing, device theft, malware, or man-in-the-middle attacks over insecure Wi-Fi. Also account for the specific vulnerabilities that could be exploited, like lack of disk encryption, unpatched software, or weak authentication.

    You may use industry-standard threat modeling frameworks such as STRIDE or OWASP, as well as internal incident history, to contextualize these risks.

  4. Assess Likelihood and Impact

    Score each risk by estimating how likely it is to occur and how damaging it would be if exploited.

    Use a simple risk matrix (e.g., 1–5 for likelihood × 1–5 for impact) and prioritize anything scoring above a defined threshold.

  5. Evaluate Controls and Determine Gaps

    Review the current security controls for each identified risk, such as VPN enforcement, MDM coverage, or access logging. Assess whether existing controls adequately reduce the likelihood or impact.
    Compare these controls against what the risk requires to be mitigated — this is your control gap analysis. Use actual evidence, such as audit logs, control test results, or automated monitoring data, to validate whether controls are working as intended.

  6. Create a Risk Treatment Plan

    After considering existing controls, determine the appropriate treatment strategy for any risks that remain above the acceptable threshold. This may involve mitigating the risk, transferring it (e.g., through insurance), avoiding it by changing business processes, or formally accepting it with documented justification.

    Once the treatment decision is made, define implementing actions and assign clear owners for each action. 

  7. Document in Risk Register

    Create a centralized risk register that includes all identified risks, their associated scores, current control status, and selected treatment actions.

    This register should support version control, be regularly updated, and remain accessible for audit reviews. 

  8. Review Periodically

    Establish a defined schedule for reviewing the remote work risk assessment. This can be done quarterly, annually, or following significant changes in systems, personnel, or the external threat landscape.

    You can also trigger ad hoc reassessments in response to specific events such as a security incident, deployment of a new tool, or a change in regulatory requirements.

Secure Your Remote Workforce

Best Practices for Managing Remote Work Security

The following best practices help operationalize your remote work policy and strengthen day-to-day security. They reduce risk, support compliance, and ensure remote teams work securely at scale.

1. Apply the Principle of Least Privilege

Users should only be granted access to the systems and data required to perform their specific job functions. Access rights should be reviewed regularly and promptly revoked when no longer needed, such as during role changes or employee offboarding. 

2. Standardize Device Security Configurations

All devices used for remote work should meet a defined security baseline. This includes full-disk encryption, up-to-date antivirus or endpoint detection tools, enforced screen lock settings, automatic patching, and remote wipe capabilities. Device compliance should be managed centrally using an MDM or endpoint management solution. Modern ISMS software platforms integrate with the MDM tooling directly, pulling device-compliance status into the same dashboard auditors review alongside policy attestations and control evidence.

3. Enforce Secure Access Channels

Remote access to company systems should be routed through secure channels, such as VPNs, zero trust access solutions, or SSO platforms with enforced multi-factor authentication. Direct internet exposure of internal systems should be avoided wherever possible.

4. Control the Use of Personal Devices

If personal devices are permitted for remote work, they should be enrolled in an MDM platform, isolated through containerization, and restricted from storing sensitive company data locally. Organizations should also log and monitor usage to ensure ongoing compliance.

5. Conduct Targeted Security Awareness Training

Employees should receive regular training tailored to remote work scenarios. This should include education on phishing, device safety, use of secure Wi-Fi, and proper handling of confidential information. Training should be mandatory and tracked for completion. 

6. Implement Continuous Monitoring of Remote Activity

Access to systems and data by remote employees should be monitored in real time. Unusual activity, such as login attempts from unexpected locations, access to unauthorized systems, or device non-compliance, should trigger alerts and predefined escalation workflows.

7. Follow a Structured Offboarding Process

A formal process should be in place for revoking access, recovering company-issued equipment, and securely wiping data from devices when a remote employee leaves the organization. Wherever possible, this process should be automated to ensure consistency and reduce risk.

8. Test Backup and Recovery for Remote Endpoints

Remote workstations and data should be included in the organization’s backup strategy. Backup frequency, encryption, and restoration procedures should be documented and tested regularly to ensure data can be recovered in the event of loss or corruption.

Secure Your Remote Workforce
Automate Iso 27001 Remote Work Controls and Stay Audit-ready With Sprinto.

Sprinto Secures Your Remote Workforce

Managing ISO 27001 compliance for a distributed workforce can quickly become complex, especially when controls, policies, devices, and people operate outside centralized systems. Sprinto simplifies this by automating, monitoring, and enforcing remote work security controls in a unified platform.

The platform helps organizations build, implement, and maintain ISO 27001-compliant remote work policies through the following capabilities:

  • ISO 27001-compliant policy templates: Provides ready-to-use, auditor-approved remote work policies aligned with Annex A.6.7, fully customizable to your organization.
  • Automated control monitoring: Tracks device encryption, MFA, VPN usage, and access controls across cloud applications and remote endpoints in real time.
  • Centralized risk register: Logs, scores, and maps remote work risks to ISO controls with built-in treatment planning and tracking.
  • Employee-level compliance enforcement: Monitors policy acknowledgment and training completion, and triggers alerts for non-compliance or missed deadlines.
  • Automated, audit-ready evidence: Collects and formats evidence mapped to ISO controls, accessible through a real-time auditor dashboard.
  • Scalable framework mapping: Enables application of remote work policies across roles, locations, and compliance frameworks without duplicating effort.

See Sprinto in action. Speak to our experts today.

Frequently asked questions

Annex A.6.7 of ISO 27001:2022 requires organizations to implement controls that manage information security risks associated with remote working. This includes defining security requirements for remote access, protecting devices and data used offsite, ensuring secure communication channels, and setting expectations for employee behavior in remote environments.

Yes, a remote work policy is required if remote working is part of your operational model. ISO 27001:2022 Annex A.6.7 specifically calls for organizations to establish and enforce policies that govern the secure use of information and systems in remote settings.

Auditors look for a formally documented remote work policy, evidence of employee acknowledgment, and proof that required security controls are implemented and monitored. This includes reviewing VPN configurations, MDM deployment, access logs, training records, and incident response procedures related to remote work environments.

Yes, personal devices can be used, but only if they are governed by strict security controls. Organizations must ensure these devices are protected through encryption, access controls, endpoint monitoring, and usage policies. All risks must be assessed, and controls must be documented and enforced through the remote work policy.

To handle ISO 27001 compliance for remote workers, companies should create a clear remote working policy, define who can work remotely, enforce MFA, use VPN or secure communication channels, restrict access based on least privilege, manage devices through MDM, enable encryption and endpoint protection, train employees, and collect evidence for audits. Remote access should be approved, documented, reviewed regularly, and removed when an employee changes roles or leaves.

Good ISO 27001 checklist management tools for remote teams include Sprinto, Vanta, Drata, Secureframe, and Thoropass. These platforms help manage policies, controls, evidence collection, employee tasks, risk registers, access reviews, and audit readiness in one place. Sprinto, for example, supports ISO 27001 policy templates, control monitoring, risk registers, employee compliance tracking, and audit-ready evidence.

The best approach is to use a compliance automation platform plus an accredited certification or audit provider. Platforms like Sprinto, Vanta, Drata, Secureframe, and Thoropass can help prepare evidence and manage controls, while certification bodies or audit providers such as LRQA, TÜV SÜD, TÜV Rheinland, Bureau Veritas, A-LIGN, Schellman, and Prescient Security can support the formal audit process. Remote audits may be fully remote or hybrid depending on the organization’s scope, risks, processes, and accreditation rules. 

Tech-enabled ISO 27001 audit providers include A-LIGN, Schellman, Thoropass, Prescient Security, LRQA, TÜV SÜD, TÜV Rheinland, and Bureau Veritas. These providers support remote or hybrid audits using online meetings, secure document review, screen sharing, cloud-based evidence review, and digital audit workflows. However, companies should confirm whether the provider is accredited for ISO 27001 and whether their specific audit can be completed remotely or needs a hybrid assessment. 

Payal Wadhwa
Author

Payal Wadhwa

Payal is your friendly neighborhood compliance whiz who is also ISC2 certified! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!
Tired of fluff GRC and cybersecurity content? Subscribe to our newsletter and get detailed
research & insights curated to help you earn a seat at the table.
single-blog-footer-img