Control Definition
The organization must implement security measures to protect information that personnel access, process, or store while working outside its premises — from home, while traveling, or at any other remote location.
Control Objective
To keep information secure when people work somewhere other than the organization's premises.
What This Really Means
The moment someone opens a work laptop at a kitchen table, your office perimeter — badge readers, firewalls, CCTV, the colleague who would notice a stranger — stops protecting them. The perimeter shrinks to three things: the device, the network it connects through, and the habits of the person using it. A.6.7 asks you to rebuild protection around those three things instead of around the building.
In practice the control rests on a triad: policy, technical controls, and trained habits. The policy is a topic-specific document stating who may work remotely, with which categories of information, from which locations, and under what conditions — including the household rules people rarely write down: locking the screen when stepping away, keeping family members off corporate devices, not taking sensitive calls within earshot of strangers. The technical layer hardens the endpoint (encryption, EDR, MDM enrollment, automatic lock) and secures the path back to your systems through VPN or zero-trust access with multi-factor authentication. The training layer turns both into behavior. Remove any one leg and the other two fail quietly.
The scope is broader than work-from-home. Co-working spaces, hotels, airports, client sites, and the quiet phenomenon of employees working from another country for a few weeks each raise their own issues — shoulder surfing, untrusted networks, cross-border data access. The same goes for the BYOD question: A.6.7 forces an explicit decision about whether personal devices may touch corporate information at all, and if so which services, enforced technically through containerization or conditional access rather than by a policy sentence alone.
What auditors treat as the heart of the control is consistency: the written policy, the technical evidence (MDM posture reports, access rules), and what remote employees describe in interviews must all match. A beautiful policy contradicted by one interview is a finding; a modest policy that matches practice is a pass.
Why It Matters
For remote-first and hybrid organizations — which now means most knowledge-work companies — the majority of information handling happens outside any controlled premises, permanently. An ISMS whose evidence covers only the office is describing a minority of the actual risk surface, and auditors increasingly read it exactly that way.
The risks themselves are mundane rather than exotic, which is precisely why they persist: lost laptops, visible screens, shared family computers, home routers still running default credentials. Where remote working controls are thin, the consequences cluster:
- •Device loss and theft – the dominant off-premises incident; an unencrypted laptop left in a taxi is a reportable breach, while an encrypted and remotely wipeable one is a logistics problem
- •Untrusted network exposure – home and public Wi-Fi sit entirely outside your monitoring; unprotected traffic and directly exposed internal services invite interception and credential theft
- •Bystander disclosure – household members, flatmates, and cafe neighbors see screens and overhear calls that no technical control will ever log
- •Shadow IT born of friction – when sanctioned remote access is slow or clumsy, people forward mail to personal accounts and sync files to personal devices, creating unmanaged copies you cannot wipe or audit
- •Scope-credibility findings – claiming office-grade control coverage while half the workforce is remote invites the auditor to test exactly where your controls actually apply
Regional Compliance Context
India. Under the DPDP Act 2023, personal data handled by support, operations, and engineering teams from home remains entirely the data fiduciary's responsibility — remote endpoints and access paths sit inside DPDPA scope, not outside it. CERT-In's 180-day log retention expectation extends to remote access infrastructure, so VPN and zero-trust gateway logs need the same retention discipline as office systems. India's services and GCC sector adds a contractual layer: client agreements often prescribe specific work-from-home controls that go beyond the ISO baseline.
Gulf. Cross-border remote work deserves explicit gating in the region: an employee accessing Saudi or UAE personal data from another country can raise transfer questions under the Saudi PDPL and the UAE federal PDPL. Route international remote-work requests through legal review rather than leaving them to manager discretion.
Implementation Guidance
Write a Topic-Specific Remote Working Policy
Define who may work remotely, from which locations (home, co-working, abroad), which information classes may be handled outside premises, and the physical rules: screen locking, household members, public spaces, video-call surroundings. Have it approved, version-controlled, and acknowledged by every remote-eligible employee — the acknowledgment records become audit evidence.
Provision Hardened, Managed Endpoints
Issue corporate laptops with full-disk encryption, EDR, automatic screen lock, and MDM enrollment so posture is verifiable remotely. Decide the BYOD boundary explicitly: containerized email and documents on enrolled personal phones is a common middle ground, while unmanaged devices stay blocked from sensitive systems. This is where A.8.1 carries the technical weight.
Secure the Access Path
Put VPN or zero-trust network access (ZTNA) in front of internal applications, enforced with multi-factor authentication per A.8.5, and never expose internal services directly to the internet. Add conditional access rules that check device compliance before granting entry, so a compromised or unmanaged machine cannot simply log in with stolen credentials.
Set the Home and Public Environment Baseline
Publish a short home-working checklist: change the router's default password, use WPA2 or WPA3, keep work devices off shared family accounts. For travel and public spaces: privacy screens, no sensitive calls within earshot of strangers, devices never left unattended. Keep it to one page — checklists that fit on a screen get followed.
Manage the Equipment Lifecycle Remotely
Track home-based equipment in the asset register, define shipping workflows for joiners and leavers with prepaid returns, and verify that remote wipe works before you need it. Make equipment recovery a named step in the leaver process with an owner and a deadline — unrecovered devices are a recurring audit finding.
Train for Remote-Specific Scenarios
Go beyond generic awareness and train the situations remote workers actually face: a laptop stolen from a car, a mis-sent client file at midnight, a household member borrowing the work machine, a suspicious pop-up with no IT desk to walk to. Pair every scenario with the reporting channel from A.6.8, and refresh annually.
Verify and Review Continuously
Pull MDM and conditional access compliance reports on a defined cadence (monthly or quarterly), run periodic self-attestation surveys on home setups, and review the policy whenever the working model changes — new countries, new BYOD decisions, new client requirements. Feed the results into management review so remote working risk stays visible.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.6.7:
Documentation
- Approved remote working policy with version history and employee acknowledgment records
- MDM or endpoint compliance reports showing encryption, screen-lock, and patch posture for remote devices
- VPN or zero-trust access configuration standard with MFA enforcement evidence
- BYOD rules plus the register of approved personal devices — or technical evidence that unmanaged devices are blocked
- Remote working risk assessment and training content covering home and travel scenarios
Interviews
- Remote employees on their actual setup — where they work, who can see the screen, what happens when they step away
- IT administrator on device provisioning, posture monitoring, and whether remote wipe has been tested
- HR or line manager on how remote work and cross-border working requests are approved and recorded
Observations
- Live MDM dashboard review showing fleet compliance, with the auditor choosing the sample devices
- Conditional access demonstrated — an unmanaged or non-compliant device actually denied access to sensitive systems
- Incidental observation during remote interviews: screen-lock behavior, VPN or ZTNA client presence, corporate asset tags
Practitioner Insights
The most common evidence gap I see: a well-written remote working policy with nothing behind it — no MDM posture report, no conditional access rule, no training module that mentions working from home. For every commitment in the policy, name the artifact that proves it: if the policy says devices are encrypted, the evidence is an encryption compliance report, not the sentence itself. Remote-first startups should flip the framing entirely — the home setup is not an exception to the office baseline, it is the baseline, and the documentation should read that way.
Auditors test this control by talking to remote employees, not by reading the policy: where do you work, who else can see your screen, what happens when you walk away from the laptop, what would you do if it were stolen. Divergence between those answers and the policy is the finding. The management-level failure I keep encountering is treating remote working as an IT configuration problem, when nobody has actually decided which classes of information may be handled outside controlled premises at all — that decision is the real control; the technology only enforces it.
Common Challenges & Solutions
Challenge
The policy bans personal devices, but half the company reads work email on personal phones anyway.
Solution
Align the rule with reality instead of pretending: define a BYOD tier that permits containerized email and documents on enrolled personal phones, and block unmanaged devices from everything else via conditional access. A rule that is technically enforced and slightly permissive beats a strict rule everyone violates.
Challenge
Home networks are invisible — you cannot audit or manage a hundred household routers.
Solution
Stop trying to manage them and treat every network as hostile: encrypt traffic end to end, authenticate per application with device posture checks, and keep the security on the endpoint. Issue a one-page home Wi-Fi checklist (default password changed, WPA2/WPA3 enabled) as guidance with self-attestation — not as an auditable control you cannot verify.
Challenge
Employees quietly work from other countries, and it surfaces only when something breaks.
Solution
Create a lightweight approval workflow for cross-border remote work and state clearly that unannounced relocation is a policy violation. Back it with geo-aware conditional access so sign-ins from unexpected countries alert rather than silently succeed. Keep a register of approvals with end dates.
Challenge
There is no real control over the physical home environment — family members, shared spaces, visible screens.
Solution
Govern it through acknowledged rules and trained habits: automatic screen lock, no household use of corporate devices, privacy screens for public work, sensitive calls behind a closed door. Verify through periodic self-attestation and scenario-based questions in internal audits. Auditors accept behavioral controls here — what they do not accept is silence on the topic.
Challenge
Equipment recovery from remote leavers drags on for weeks, or quietly fails altogether.
Solution
Make recovery a named step in the leaver workflow with an owner, a deadline, and prepaid return shipping arranged before the last working day. Trigger remote wipe and access revocation on the exit date regardless of where the hardware is. Track unreturned assets in the register and escalate through HR — recovery discipline decays fast once exceptions become normal.
