Pre COVID-19, remote work, was the realm for companies cutting operational cost, to improve a work-life balance and freelancers. Today however, companies have seen the upside of remote work, be it a reduced expenditure towards rent or employee mental health due to an improved work-life balance.
Happy employees are more productive, but what about the company itself?
Is your data secure?
ISO 27001 Annex A, helps with your information security risk management and security controls. Your risk will come down form a high risk, to a medium-low risk in a less complex manner if implemented correctly.
Which security challenges should you be worried about?
Besides its many benefits, remote working has some challenges and information security risks. These include unauthorized access, breach of sensitive information, and modification or even destruction of data. Considering that employees are outside the organization’s environment, they will be using mobile devices for remote access from home or public networks, which may not have the best security controls. Insufficient information and communication policies, along with a lack of clearly defined procedures, can cause nightmares for companies, including financial loss and non-compliance with regulations such as the EU GDPR. – https://advisera.com
Which controls in ISO 27001 deals with remote working?
- A 6.2.1 – Mobile device policy
- A 6.2.2 – Teleworking
- A 7.2.2 – Information security awareness, education and training
ISO 27001 requires an Information Security Management System to have controls in place to defend against information security risks. Now, ISO 27002 which is a code of practice for the controls listed in ISO 27001 Annex A and will support you in the implementation, maintenance and information security management of your ISO 27001. It is however important to note that you cant be certified in ISO 27002 as this is only a supporting guide to ISO 27001
Control A 6.2.1 and A 6.2.2 are dedicated to remote working.
The following is a exert form https://advisera.com
Mobile device policy. Control A 6.2.1 states that a policy and supporting security measures must be adopted to manage security risks due to use of mobile devices:
- The Mobile device policy should include physical protection of registered devices, malware protection, restriction of installation, update and patch management, access controls, and backups.
- Organizations should consider cryptography and the use of secret authentication, such as passwords and PINs, to avoid unauthorized access.
- In case a mobile device – especially one carrying sensitive information – is stolen or lost, it is best to apply remote lock or erasure procedures.
Teleworking. Control A 6.2.2 states that a policy that defines conditions and restrictions for teleworking should be issued by the organization:
- This policy should focus on the protection of information accessed, processed, or stored at teleworking sites, considering regulations.
- Organizations should provide suitable communication equipment, physical security, hardware, and software support to remote workers.
- Rules set for the use of home and wireless networks, classification of information held, and authorization policies to access systems and services should also be considered.
Also, control A.7.2.2 states that all employees of the organization must have appropriate awareness and regularly updated training in order to ensure that policies and procedures are implemented correctly.
How do I apply ISO 27001 controls to remote work?
With COVID-19 there has been a global shift toward remote working, at least in part, and the reliance on remote work will only increase with the alure of no commute, home brewed coffee and a relaxed environment. But, your company has huge exposure to systems, information and infrastructure while your employee is working from their couch, and it is up to you to mitigate this risk.
Your fist line of defense will be a mobile device and remote work policy, which will require your users not to connect with devices that don’t comply with the policy. Your policy must clearly state who may remote work and also who may have remote access to your infrastructure, systems and information.
Endpoint security is key and a 2-factor authentication in conjunction with a Virtual Private Network (VPN) will improve this often-overlooked risk. Additional security enhancements could also include encrypting sensitive date and communication, scanning network traffic and a network layer firewall. Your last and most important defense is to be proactive and not reactive. Monitoring, penetration tests and audits help in detecting gaps in your security, and ensures an effective stop-gap before the dam breaks.
You will also be required to limit the access that each employee has to the data available. By working in silos on your data availability to each employee your risk of serious a breach also decreases.
Wow do I stay compliant to ISO 27001 with regards to remote workers?
In short – Security Awareness Training.
Your training should be a series of easy-to-understand content supplied in a sustainable manner. Updating your training is essential, as security threats are ever evolving. ISO 27001 clause 7.2 and control A 7.2.2 puts further emphasis on this aspect. Employee buy in on training is helped along Management’s commitment to information security, the need to comply with information security controls, and remote workers’ accountability for their own actions.
The following is a exert form https://advisera.com
The following methods will also increase awareness and create a safer teleworking environment:
- Composing awareness programs focusing on not only “what” and “how,” but also “why.”
- Making sure passwords are difficult to crack and changed regularly.
- Choosing tools with built-in security and providing virtual desktop access.
- Implementing regular monitoring of networks and systems.
- Reviewing authorization and access rights periodically – especially when a remote worker quits.
- Setting rules for video conferencing – such as screen capturing and recording.
- Keeping your systems updated and informing remote workers on these, or forcing automatic updates.
- Developing a breach response or business continuity plan.
- Don’t forget to check changes in regulations!
