Remote Working Security Measures
Implement security measures to protect company info when working outside the office.
Plain language
When employees work from home or any place outside the office, their laptops and information can be at risk. This control is about ensuring the safety of company data when staff are working remotely. If it's not followed, sensitive information could be accessed by unauthorised people, leading to data breaches or identity theft.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
Why it matters
Without robust remote-working controls, data accessed off-site may be intercepted on insecure Wi‑Fi or lost from unmanaged devices, leading to breaches and unauthorised disclosure.
Operational notes
Harden remote access: enforce VPN + MFA, keep remote access clients patched, and require managed devices with encryption, screen locks and remote wipe for off-premises work.
Implementation tips
- IT Managers should develop and enforce a remote working policy. This policy should outline security practices, such as using VPNs (Virtual Private Networks) or secure network connections whenever accessing company data, in line with ISO 27002:2022 and Australian laws like the Privacy Act 1988.
- HR should provide training to all staff on secure remote working practices. This includes how to safely use communication tools, the importance of strong passwords, and recognising phishing attempts. Training should comply with the ASD Essential Eight framework.
- The Facilities Manager should assess the physical security of common remote work environments. They should ensure employees have lockable cabinets for storing physical documents, and advise on securing home offices against theft or unauthorised access.
- Procurement should provide the necessary hardware, like laptops and secure USBs, with pre-installed security software. Equipment should have encryption software installed, following standards such as CPS 234, to protect sensitive information.
- The IT Support Team should establish a robust system for managing remote access to company networks. This includes using multifactor authentication to ensure that only authorised personnel can access the networks remotely, enhancing security as recommended by ISO 27002:2022.
Audit / evidence tips
-
Askthe remote working policy document
-
Asktraining records or logs for remote working security awareness
-
Askevidence of equipment issuance and maintenance records
-
Askexamples of remote connection logs
-
Askrecords on the configuration of home networks by employees
Cross-framework mappings
How Annex A 6.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.7 | E8-RA-ML3.7 requires Remote Credential Guard to be enabled to prevent administrator credentials being exposed during remote logons | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| ISM-0488 | ISM-0488 requires that when SSH is used without passwords, organisations restrict what can be executed via SSH keys by using SSH 'forced ... | |
| ISM-0705 | ISM-0705 requires organisations to disable split tunnelling when connecting to the organisation’s network over VPN | |
| ISM-1554 | ISM-1554 requires specific precautions for personnel travelling overseas with mobile devices to high or extreme risk countries, including... | |
| ISM-1887 | ISM-1887 requires mobile devices to be configured with remote locate and remote wipe functionality to reduce risk from loss or theft | |
| ISM-2101 | ISM-2101 requires that sensitive or classified phone calls and conversations are not conducted within or near connected vehicles to mitig... | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1006 | ISM-1006 requires security measures to prevent unauthorised access to network management traffic | |
| ISM-1400 | ISM-1400 requires enforced separation of classified data and personal data when personnel use privately-owned devices to access sensitive... | |
| ISM-1866 | ISM-1866 requires organisations to prevent personnel using privately-owned devices from storing classified data from OFFICIAL: Sensitive ... | |
| ISM-2096 | ISM-2096 requires mobile devices to enforce separation between organisational and personal applications and data (e.g | |
| handshake Supports (5) expand_less | ||
| ISM-0467 | ISM-0467 requires HACE for SECRET and TOP SECRET data communicated outside secure areas | |
| ISM-0487 | ISM-0487 mandates disabling high-risk SSH features for passwordless logins, reducing the remote administrative access attack surface | |
| ISM-0871 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to reduce loss or theft | |
| ISM-1084 | ISM-1084 requires secure physical transport of mobile devices using approved security bags when the devices cannot be otherwise secured | |
| ISM-2098 | ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections | |
| link Related (4) expand_less | ||
| ISM-0694 | Annex A 6.7 addresses protecting information when personnel work remotely, including controlling which devices can access organisational ... | |
| ISM-0824 | Annex A 6.7 requires organisations to protect information when personnel work remotely, which often includes controlling what external se... | |
| ISM-1146 | Annex A 6.7 requires security measures for personnel working remotely to protect organisational information accessed or processed offsite | |
| ISM-1504 | Annex A 6.7 requires organisations to implement security measures to protect information accessed, processed or stored while personnel wo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.