A.6.7 — Remote Working · Cenedril Wiki

A product manager joins a video call from a cafe, sharing their screen with the quarterly revenue forecast visible in the background. Their laptop connects through the cafe’s open Wi-Fi. A browser notification pops up with a customer’s name and support ticket. Someone at the next table photographs the screen. A.6.7 exists because remote work multiplies the attack surface — and most of the risk comes from the environment, not the technology.

The control requires organizations to implement security measures that protect information when personnel work outside the organization’s physical premises. This includes home offices, co-working spaces, hotels, airports and any other location where organizational data is accessed or processed.

What does the standard require?

The core requirements cover five domains:

Remote-working policy. The organization must define clear rules for remote working, covering approved locations, acceptable activities, security requirements and the employee’s responsibilities.
Physical security of the remote site. The workspace must provide adequate protection against unauthorized viewing, listening and physical access to devices and documents.
Secure communication. Connections to organizational systems must be encrypted and authenticated. Public Wi-Fi without a VPN or equivalent protection is unacceptable for accessing sensitive systems.
Device security. Devices used for remote work must meet the organization’s security baseline — encryption, up-to-date patching, endpoint protection, screen lock and (where applicable) mobile-device management.
Awareness and training. Remote workers must receive specific guidance on the risks of their work environment and the measures they are expected to follow.

In practice

Write a remote-working policy. The policy should cover: approved locations, VPN and network requirements, device-security baseline, physical-security expectations, rules for video calls and screen sharing, printing restrictions and the handling of paper documents off-site (link to Remote Working and BYOD Policy in the Starter Kit).

Provide secure equipment. Issue pre-configured laptops with full-disk encryption, mandatory VPN, endpoint detection and response (EDR) and auto-lock after inactivity. If BYOD is permitted, enforce minimum requirements through MDM or containerization.

Issue a home-office self-assessment. Ask each remote worker to complete a checklist: lockable room, separate work area, secure Wi-Fi (WPA3 or WPA2 with strong passphrase), no shared computers, privacy screen if working in shared spaces. Store the completed form as audit evidence.

Control printing and paper. Define rules for printing confidential documents at home. Ideally, prohibit it. If printing is necessary, require a cross-cut shredder and documented disposal.

Typical audit evidence

Auditors typically expect the following evidence for A.6.7:

Remote-working policy — the approved policy document (link to Remote Working and BYOD Policy in the Starter Kit)
Policy acknowledgements — signed confirmations from remote workers
Home-office self-assessments — completed checklists from employees
Device configuration standards — documentation of the security baseline for remote devices
VPN logs — evidence that remote connections use encrypted channels
MDM/EDR deployment records — proof that endpoints are managed and monitored

KPI

% of remote workers with verified compliance to remote working security policy

Measured as a percentage: how many remote workers have (1) acknowledged the policy, (2) completed a self-assessment and (3) are using a compliant device? Target: 100%. Organizations typically start at 40–60% due to legacy devices and missing self-assessments.

Supplementary KPIs:

% of remote devices with full-disk encryption enabled
% of remote connections routed through VPN or ZTNA
Number of remote-working policy violations reported per quarter
% of home-office self-assessments completed in the last 12 months

BSI IT-Grundschutz

A.6.7 maps to several BSI modules:

OPS.1.2.4 (Telecommuting) — the primary module. Covers the organizational and technical requirements for remote work, including policy, risk assessment, device security and communication encryption.
INF.8 (Home workplace) — defines physical security requirements for a dedicated home office: lockable room, secure storage, separated network if possible.
INF.9 (Mobile workplace) — addresses security at ad-hoc locations: cafes, trains, client premises. Focuses on visual privacy, device security and secure communication.
NET.3.3 (VPN) — technical requirements for VPN connections used by remote workers.
CON.7.A7 (Security during business trips) — extends to travel scenarios with specific guidance on hotel Wi-Fi, border-crossing device searches and data minimization.

A.6.7 connects to physical, technological and organizational controls:

A.6.5 — Responsibilities after termination: Offboarding remote workers requires extra attention — devices and documents may be at their home.
A.6.6 — Confidentiality or non-disclosure agreements: Remote workers handling sensitive data need appropriate confidentiality agreements.
A.6.8 — Information security event reporting: Remote workers must know how to report incidents from outside the office.

Additional connections: A.7.9 (Security of assets off-premises), A.8.1 (User endpoint devices) and A.5.15 (Access control).

Sources

ISO/IEC 27001:2022 Annex A, Control A.6.7 — Remote working
ISO/IEC 27002:2022 Section 6.7 — Implementation guidance for remote working
BSI IT-Grundschutz, OPS.1.2.4 — Telecommuting

Frequently asked questions

Does A.6.7 apply to occasional work from home or only to permanent remote workers?

It applies to all remote working scenarios — permanent telecommuting, occasional home office, working from hotels or co-working spaces, and remote maintenance by IT staff. The depth of controls should be proportional to the frequency and sensitivity of the work.

Do I need to inspect employees' home offices?

The standard does not mandate physical inspections. It requires that the physical security of the remote location is adequate. Many organizations use a self-assessment checklist that the employee completes and signs, combined with clear guidelines on what constitutes an acceptable workspace.

What about BYOD (bring your own device)?

BYOD introduces additional risks because the organization does not fully control the device. If you allow BYOD, your remote-working policy should address minimum security requirements (encryption, OS updates, antivirus), containerization or MDM solutions, and the right to remote-wipe organizational data.

Is a VPN mandatory?

The standard does not prescribe specific technologies. A VPN is one of the most common solutions for securing remote connections to internal systems. Alternatives include zero-trust network access (ZTNA) solutions. The key requirement is that the connection is encrypted and authenticated.

Responsible	Information Security Officer / (C)ISO
Accountable	Head of IT
Consulted	Asset Owner, Data Protection Officer, Facility Manager, HR Manager, Head of IT, IT Administrator, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Supply Chain Manager
Informed	All Employees, IT Administrator