Though WFH and tele-working has become ubiquitous and though most companies, by now, have settled on their Work-From-Home (WFH) and tele-working techniques, tactics and procedures (TTP) there’s still some confusion amongst stake holders about this new work environment norm. I decided to pen down this primer on the controls that are deemed necessary from an ISO 27001 (ISMS) perspective for tele-working and WFH. WFH and/or tele-working has significantly increased information security risk for organization of all stripes and sizes. Information Security Management System (ISMS) controls, as suggested in ISO/IEC 27001 can be implemented to mitigate WHF/Tele-working risk significantly.
First off, let us review what is tele-working? There are several definitions out there defining tele-working. All definitions seem to have two things in common: a) The employee is working from outside of the organization’s physical environment and b) The employee is using some kind of information and communication technology to stay connected to the office’s technology environment. Given these two common attributes, tele-working could refer to the following scenarios: a) Employees are either working from home (referred to as WFH) or are working from any location other than home or office (e.g. Coffee-shop), b) Employees are using either a non-mobile desk-top computer or a mobile device (e.g. Mobile phone, tablet or a laptop computer) to connect to the corporate network and c) Employees are using either a private network or a public network to connect.
Each of the above mentioned scenarios have specific risk associated with them and knowing the exact scenarios will help in identifying controls one needs to implement to control risk. Having said that, and generally speaking, risks associated with tele-working could be enumerated as follows:
ISO 27001 Controls for tele-working: ISO 27001 provides a framework of controls for controlling risk associated with tele-working in its Annex A (detailed in ISO 27002). It provides the best practices to control various risks associated with tele-working. The primary relevant controls are A.6.2.1 (Mobile device policy) and A.6.2.2 (Tele-working Policy). The primary document encapsulating these controls is: Mobile device and tele-working policy. The organization, through this policy, can set the rules for implementing controls necessary to protect: access, store and/or process information while tele-working. The policy can help define:
In addition to the above policies, implementing security awareness, education and training within the workforce about the specific risks and controls associated with tele-working as per ISO 27001 (A 7.2.2) will go a long way in educating the workforce about all the perils associated with tele-work. Such training program may specifically include instruction on how to take precaution about opening emails and/or how to set strong passwords etc. Such programs should also specify disciplinary action on willful negligence on tele-working employee’s part.
In the current Covid-world that we live in, and even in the post-covid world, it is a general belief that WFH and tele-working is here to stay. Companies can safely adapt to the new norm by adopting the standard controls laid out in the ISO 27001 standard to keep their information and related assets secured. The framework’s robust set of controls secures all aspects and dimensions of WFH and/or tele-working setup.