How to write an ISO 27001 remote access policy

Remote access is the future of business. Despite travel restrictions easing amid the pandemic, employees continue to work from home in their droves.

According to a Gartner survey, 47% of organisations are giving their employees the option of working remotely full-time, and 82% said employees can work from home at least one day a week.

But as organisations embrace remote working, they must also understand the security risks that come with it. They can help manage those issues with ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

ISO 27002, the code of practice for ISO 27001, contains guidance on creating a remote access policy, which ensures that the risks associated with home working are identified and addressed.

Why you need a remote access policy

The shift towards remote working has been made possible due to technological advancements in the way we access information and systems, and how we interact with teammates.

Organisations have learned that tools such as video conferencing, Cloud services and online content management systems are effective and affordable. Moreover, those tools give employees the opportunity to work more flexibly and avoid the inconveniences that come with travelling to the office.

Employees have therefore come to expect that their employer will give them the option to work from home either on a part-time or full-time bases. If organisations aren’t already giving staff this choice, they could struggle to keep skilled employees or attract new ones.

However, if organisations are to provide remote working options, they must take appropriate steps to ensure their information is safe and secure.

Without the security protections that office systems afford – such as firewalls and blacklisted IP addresses – remote workers are far more vulnerable to cyber attacks.

The most obvious risks involve online activities. Cloud documents, email attachments and third-party services all pose risks, and with so much information being shared digitally, organisations’ attack surfaces have grown much wider.

A remote access policy can mitigate those risks, helping employees understand their responsibilities when working from home and establishing the organisation’s security needs for remote access.

The policy can establish processes for:

  • Authorising employees who are permitted to work remotely;
  • Providing and supporting end-user devices;
  • Identifying the types of information and services that can be accessed remotely; and
  • Accessing information and services securely.

What should be included in a remote access policy

The purpose of the remote access policy is to state the rules for employees accessing the organisation’s network and sensitive information.

To be effective, the policy must cover everything related to network access for remote workers. This will differ depending on the nature of each organisation, but there are certain things that you should always consider.

For example, organisations should commit to two-factor authentication wherever possible. This adds an extra layer of security to the login process – such as by asking employees to enter a one-time password that’s sent to their email address or an app on their phone.

Doing this mitigates the damage that could occur if an employee’s login credentials are compromised.

Likewise, the policy should outline connection procedures, which may involve the use of VPNs, as well as requirements for password management.

Employees should be reminded that passwords must kept secure and should refrain from keeping their credentials written down.

A remote access policy should also outline who in the organisation is permitted to assign remote access to employees and under what circumstances.

This process will involve defining acceptable use guidelines that ensure that employees do not participate in activities that could compromise the network or their device.

Challenges of remote access

Although there are many benefits of remote working, there are some circumstances where it is simply not possible.

For example, organisations that process highly sensitive data may decide that it is too risky to allow remote employees to handle it.

This is most likely to be the case for organisations that handle medical data or government records, or where remote working would introduce the risk of insider trading.

You can determine whether the risks of remote access outweigh the benefits by conducting a risk assessment. That process might also highlight specific roles that would pose a security risk if performed remotely.

This could be the case for employees who regularly handle sensitive information and systems, and for new starters.

In these circumstances, it is acceptable to specify in your remote access policy that certain employees must be office-based, or that employees must complete a probation period working in the office before they can be offered remote work options.

ISO 27001 remote access policy template

You can find more tips on what to include in your remote access policy with our free template.

Developed by information security and data privacy experts, the Remote Working Policy Template Kit contains will help you establish a culture of secure home working.

You’ll receive five templates covering remote worker security and BYOD (bring your own device) procedures, providing everything you need to quickly create and implement your own secure remote working policies.

No Responses