A single compromised home router can give an attacker the same network access as a corporate workstation. When organizations treat remote working as a perk rather than a threat surface, they inherit every vulnerability their employees bring home with them. ISO 27001 Control 6.7 exists because the perimeter moved to the kitchen table, and most security programs haven’t caught up.
What 6.7 requires
ISO 27001 Control 6.7, Remote Working, requires organizations to define, enforce, and monitor security measures that protect information accessed, processed, or stored outside their physical premises. This includes any teleworking arrangement, whether employees work from home, a co-working space, a hotel, or any location beyond the organization’s direct control. The control sits within Annex A Domain 6 (People Controls), recognizing that remote working risk is fundamentally a human risk that demands both policy and technical enforcement.
The core obligation is building a formal remote working policy backed by measurable technical controls. You need to specify which activities are permitted remotely, what equipment and network configurations are acceptable, and how sensitive information must be handled outside the office. The policy must address both organization-owned and personal devices, covering encryption requirements, access controls, and acceptable use boundaries. It should also define minimum standards for the physical workspace, including screen privacy, document handling, and secure storage requirements.
Beyond policy, 6.7 demands operational enforcement. Organizations must implement technical safeguards for remote access, establish physical security expectations for home workspaces, and maintain monitoring capabilities that extend to remote endpoints. The control also requires clear procedures for provisioning and revoking remote access, ensuring that permissions reflect current employment status and role assignments. Evidence of implementation, training, and periodic review must be documented and audit-ready. Auditors will look for a closed loop from policy definition through to technical enforcement, employee acknowledgment, and ongoing compliance monitoring.
Why 6.7 matters
An attacker discovers that a remote employee’s home router still runs factory firmware with default administrative credentials. After gaining access to the router, the attacker intercepts DNS queries, redirects the employee to a credential-harvesting page mimicking the corporate VPN portal, and captures their login credentials. Because the organization hasn’t enforced Multi-Factor Authentication (MFA) on its remote access gateway, the attacker authenticates directly into the corporate network. From there, lateral movement leads to a file share containing unencrypted customer records. The entire attack chain cost the adversary nothing more than time and a publicly available exploit kit.
This kind of attack doesn’t require sophisticated tooling or a nation-state budget. It exploits the gap between corporate security controls and the unmanaged environments where remote employees actually work. Home networks, personal devices, shared Wi-Fi at coffee shops and airports all sit outside your security team’s direct control, yet they handle the same sensitive data as hardened office infrastructure. The risk isn’t theoretical. It follows a well-documented pattern in adversary tradecraft, where attackers target the weakest link in the access chain rather than attacking fortified corporate infrastructure directly.
The risk compounds at scale. When 92% of remote workers report using personal tablets or smartphones for work tasks, with 46% saving work files onto those devices (Lookout), the potential exposure surface multiplies with every employee who works outside the office. Without the controls 6.7 prescribes, you’re trusting that hundreds or thousands of unmanaged environments meet your security baseline. That trust is rarely justified, and the consequences of misplaced trust can range from regulatory penalties to full-scale data breaches.
What attackers exploit
- Unsecured home Wi-Fi: Default router passwords and outdated firmware with no WPA3 encryption leave home networks vulnerable to interception and man-in-the-middle attacks.
- Unencrypted laptops: Devices lost or stolen from vehicles, hotels, and co-working spaces expose sensitive data when full-disk encryption isn’t enforced.
- Shadow IT and unauthorized SaaS tools: Employees adopt unsanctioned applications to fill workflow gaps, creating data flows that bypass security monitoring entirely.
- Missing or weak MFA: Remote access gateways, VPNs, and cloud applications protected only by passwords are trivially compromised through credential stuffing and phishing.
- No EDR on BYOD devices: Bring Your Own Device (BYOD) endpoints without Endpoint Detection and Response (EDR) agents operate as blind spots in your security monitoring.
- Shoulder surfing in public spaces: Visual eavesdropping in airports, cafes, and co-working spaces exposes credentials, sensitive documents, and confidential communications.
- Stale remote access permissions: Terminated or transferred employees retain active credentials, providing an unmonitored pathway into corporate systems long after they should have been revoked.
- No remote-specific incident reporting: Without clear procedures for reporting incidents from remote locations, breach detection timelines stretch from hours to weeks. Employees unsure of how to report a suspected compromise from home may delay or skip reporting altogether.
How to implement 6.7
For your organization (first-party)
1. Draft a remote working policy. Define which roles, activities, and data classifications are approved for remote work. Specify acceptable environments, required equipment configurations, and prohibited actions such as using public Wi-Fi without a VPN. The policy should reference your organization’s information classification scheme and map remote working permissions to data sensitivity levels. Include expectations for home network security, such as requiring router firmware updates and disabling Universal Plug and Play (UPnP). Have employees formally acknowledge the policy, and schedule reviews at least annually or whenever your remote working model changes significantly.
2. Enforce technical controls. Deploy a Zero Trust Network Access (ZTNA) solution or VPN with MFA enforced on every connection. Require full-disk encryption (BitLocker, FileVault) on all remote endpoints. Enroll devices in a Mobile Device Management (MDM) platform such as Microsoft Intune, Jamf, or VMware Workspace ONE to enforce security baselines, push patches, and enable remote wipe capabilities. For BYOD scenarios, implement application containerization to separate corporate data from personal use. Configure Data Loss Prevention (DLP) rules to prevent sensitive information from being copied to unauthorized locations, personal cloud storage, or unmanaged applications.
3. Address physical security. Require employees to acknowledge physical security expectations for their workspace, including locking screens when stepping away, securing printed documents, and avoiding work in environments where screens are visible to unauthorized individuals. Provide privacy screens for employees who regularly work from public locations. The policy should address clean desk requirements for home offices, secure disposal of printed materials, and restrictions on voice calls involving sensitive data in shared or public spaces.
4. Establish monitoring and audit capabilities. Deploy EDR agents on all remote endpoints to maintain visibility into threats regardless of network location. Conduct quarterly access reviews using a formal User Access Review (UAR) process to verify that remote access permissions match current roles and employment status. Log and monitor remote session activity for anomalous behavior such as unusual login times, geographic impossibilities, or bulk data transfers. Implement Conditional Access policies that evaluate device compliance, location, and risk score before granting access to corporate resources.
5. Train remote workers. Deliver targeted security awareness training that addresses remote-specific risks, including how to secure home networks, recognize phishing attempts targeting remote access credentials, and report security incidents when working outside the office. Training should go beyond annual compliance exercises to include contextual guidance when risky behavior occurs. Cover topics like recognizing rogue Wi-Fi access points, proper handling of sensitive data on personal devices, and the risks of sharing workspaces with family members or roommates.
6. Document evidence. Maintain records of policy acknowledgments, device enrollment confirmations, access provisioning and revocation logs, training completion records, and access review outcomes. Auditors will expect to trace the full lifecycle from policy creation through enforcement and monitoring. Keep evidence organized by control area so it can be produced quickly during certification or surveillance audits.
Common mistakes:
- Policy exists on paper but no technical controls enforce it
- BYOD is permitted without containerization or MDM enrollment
- Remote access credentials remain active after employees leave the organization
- Remote work is treated as a temporary exception rather than a permanent operating model
- Remote-specific incident response procedures are never tested or exercised through tabletop simulations
For your vendors (third-party assessment)
When assessing vendor compliance with 6.7, questionnaire questions should probe beyond policy existence into operational enforcement. Vendors who handle your sensitive data from remote locations extend your risk surface, and their remote working controls become your concern.
Key questions to ask:
- Does your organization maintain a documented remote working policy? When was it last reviewed?
- What technical controls do you enforce for remote access (VPN/ZTNA, MFA, encryption, MDM)?
- How do you handle BYOD scenarios? Is corporate data containerized on personal devices?
- What is your process for revoking remote access when an employee is terminated or changes roles?
- Do you monitor remote endpoint security posture? What EDR or Extended Detection and Response (XDR) solution is deployed?
- How do you train employees on remote-specific security risks, and how frequently?
Evidence to request:
- Remote working policy document with revision history and approval records
- MDM enrollment statistics and compliance dashboard screenshots
- Remote access provisioning and de-provisioning logs from the past 6 months
- Training completion rates for remote security awareness modules
- Sample access review reports from the past 12 months
- Incident response playbook sections specific to remote working scenarios
Red flags in vendor responses:
- “We trust our employees to follow security best practices” without any technical enforcement mechanism
- No distinction between office-based and remote security controls
- Inability to provide de-provisioning logs or access review evidence
- Remote working policy that hasn’t been updated since before 2020
- No MDM or endpoint management for remote devices
- Vague answers about BYOD controls or MFA enforcement
Verification beyond self-attestation: Request live demonstrations of MDM dashboards showing enrolled devices and compliance rates. Ask for sample access revocation logs with timestamps to confirm that offboarding procedures actually execute, not just that they’re documented. Cross-reference their stated MFA requirements against their remote access architecture documentation to identify gaps between policy claims and technical reality. If the vendor undergoes SOC 2 audits, review the relevant Trust Services Criteria for evidence that remote access controls are independently tested and validated. For vendors handling high-sensitivity data, consider requesting penetration test results that specifically include remote access pathways in scope.
Audit evidence for 6.7
| Evidence type | Example artifact |
|---|---|
| Policy documentation | Remote working policy with version control, CISO or board approval signature, and annual review dates |
| Technical enforcement | MDM compliance dashboard showing device enrollment rates and security baseline adherence |
| Access management | Remote access provisioning and de-provisioning logs with timestamps and approver records |
| Encryption verification | Full-disk encryption status reports from MDM or endpoint management platform across all remote devices |
| MFA configuration | Remote access gateway configuration showing enforced MFA for all connection types |
| Training records | Completion certificates and attendance logs for remote security awareness training by quarter |
| Access reviews | Quarterly User Access Review reports showing remote permission validation outcomes and remediation actions |
| Incident response | Remote-specific incident response playbook with records of tabletop exercises conducted in the past 12 months |
Cross-framework mapping
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-17 (Remote Access) | Full |
| NIST 800-53 | PE-17 (Alternate Work Site) | Full |
| SOC 2 | CC6.1 (Logical and Physical Access Controls) | Partial |
| SOC 2 | CC6.6 (Security Measures Against Threats Outside System Boundaries) | Full |
| CIS Controls v8.1 | Control 6 (Access Control Management) | Partial |
| CIS Controls v8.1 | Control 12 (Network Infrastructure Management) | Partial |
| NIST CSF 2.0 | PR.AA (Identity Management, Authentication, and Access Control) | Partial |
| DORA | Article 9 (ICT Security Policies and Procedures) | Partial |
Related ISO 27001 controls
| Control ID | Control name | Relationship |
|---|---|---|
| 6.1 | Screening | Pre-employment checks reduce risk of granting remote access to unvetted individuals |
| 6.2 | Terms and conditions of employment | Employment agreements should include remote working security obligations |
| 6.3 | Information security awareness, education, and training | Remote-specific training supports 6.7 implementation |
| 6.5 | Responsibilities after termination or change of employment | Ensures remote access is revoked when roles change |
| 7.9 | Security of assets off-premises | Extends physical asset protection to remote working locations |
| 8.1 | User endpoint devices | Defines security requirements for devices used in remote environments |
| 8.5 | Secure authentication | MFA and authentication controls underpin secure remote access |
| 8.20 | Networks security | Network controls that protect remote connections to corporate resources |
| 8.24 | Use of cryptography | Encryption requirements for data in transit and at rest on remote devices |
Frequently asked questions
What is ISO 27001 6.7?
ISO 27001 Control 6.7, Remote Working, requires organizations to implement security measures that protect information accessed, processed, or stored at locations outside their physical premises. It mandates a formal remote working policy backed by technical controls such as VPN or ZTNA, MFA, device encryption, and endpoint management. The control applies to all teleworking arrangements, including work from home, co-working spaces, and travel. It falls within Annex A Domain 6 (People Controls) and is assessed during both initial certification and surveillance audits.
What happens if 6.7 is not implemented?
Without 6.7 controls, organizations expose sensitive data to risks inherent in unmanaged environments, from compromised home networks to lost or stolen devices without encryption. Auditors will flag the gap as a nonconformity during ISO 27001 certification or surveillance audits, potentially blocking certification until remediated. The operational consequence is that every remote worker becomes an unmonitored entry point into your corporate network, and you lose the ability to demonstrate due diligence to regulators, customers, and insurance underwriters.
How do you audit 6.7?
Auditing 6.7 starts with reviewing the remote working policy for completeness, appropriate approval, and regular revision cycles. Auditors then verify technical enforcement by examining MDM enrollment rates, VPN or ZTNA configurations, MFA enforcement logs, and encryption status across remote endpoints. They will also sample access provisioning and revocation records, review training completion rates, and assess whether remote-specific incident response procedures have been tested through exercises such as tabletop simulations.
How UpGuard helps
Remote workers introduce risk that traditional perimeter-based tools can’t see. Shadow SaaS applications, compromised credentials from third-party breaches, and unauthorized AI tools all bypass conventional security controls the moment employees step outside the corporate network.
User Risk discovers the hidden workforce risks that 6.7 is designed to address. It identifies Shadow AI and unsanctioned SaaS usage across your remote workforce through browser-level visibility, monitors for compromised credentials exposed in third-party breaches, and delivers real-time, in-workflow coaching that teaches remote workers secure habits at the exact moment a risky action occurs. Rather than relying on periodic training that employees forget within days, User Risk provides continuous governance that scales with your remote workforce.
Start a free trial to experience the UpGuard cybersecurity platform.