How secure is your corporate data during telecommuting? Some guidelines from the ISO/IEC 27002

/ Dutch / Door

In 2020, the importance of digitization became more apparent than ever, especially for businesses. Even when an employee is home sick or unreachable, digital solutions and "the cloud" allow colleagues to still get the files they need. In addition, travel is currently discouraged, making collaboration across borders more difficult. A digital system thereby ensures connectedness so that communication continues flawlessly wherever and whenever. But all this digital remote working, telecommuting, working from home, home office ... is not without risks. In this article, we look at the importance of information security during telecommuting.

man floating between clouds surrounded by reports and charts

ISO/IEC 27001

ISO/IEC 27001 describes the requirements of a quality information security management system. Annex A of that standard includes a list of 35 objectives and associated measures that constitute the minimum requirement for certification. However, that table does not provide a practical elaboration of the measures. For that, it is best to take a look at ISO/IEC 27002: the code of practice for information security controls. In about a hundred pages, the 114 measures for each objective are explained in detail. In this article, we take a closer look at one of those measures: 6.2.2 telework.

The standard requires an organization to provide appropriate policies and security measures to protect information accessed, processed or stored while teleworking. Teleworking is defined as any form of work that is performed away from a desk, such as working from home, flexi-working or working in a virtual environment.

A secure physical and virtual work environment

The physical environment in which teleworking takes place must be secure, both the building and the local environment. This prevents (sensitive) information from being destroyed or stolen.
Same woman working from two places while connected to the cloud

Access to the virtual work environment is also a concern. Remote access to internal systems of the organization must be secure so that only authorized individuals can handle the information in those systems. Family or friends who access information, accidentally or unintentionally, are also considered information security threats. For devices and networks used for telecommuting, adequate measures regarding firewalls, encryption and malware protection must be taken.

Your own laptop or one from work?

Measures should be provided that avoid (sensitive) information on private devices used and stored. In fact, those devices can be difficult to control by the organization, including due to laws about privacy and private property (e.g., GDPR). The best option is to keep the information in an operational virtual environment, such as Phronesys'.

Furthermore, there are risks around infringement of proprietary rights and (software) licenses. For example, several software developers, including Microsoft Office, prohibit individuals from deploying their own personal version (e.g., Microsoft Office Home) for commercial use. That is, even while telecommuting, employees are required to use the version with a commercial license from the employer to use. That license is usually not installed on private devices.

Thus, the ISO/IEC 27002 directive prefers the option where employers provide their employees with the appropriate devices for telecommuting and discourage the use of private devices. This way, they can better follow the various information security requirements:

  • Ensuring secure remote access
  • Support and maintenance of hardware and software (licenses)
  • Easier monitoring of security without invasion of privacy

Protocol and procedures

In addition to providing a device for telecommuting, it is also a good idea to have a protocol on data protection and information security during telework. This can include the following elements:

  • A definition of permitted work;
  • working hours;
  • The classification of data that can be processed;
  • the internal systems and services to which the teleworker has access;
  • guidelines on roommate access to the device and information.

Ultimately, there is also a need for procedures that guarantee backups and business continuity during telework. For example, consider procedures to manage remote (access) rights and privileges, in case - during a period of telework - someone's (telework) activities end or someone changes positions. This should also take into account the return of equipment.

So there is a lot involved when you want to keep your company information safe during telecommuting. Start the process with a risk analysis to identify and assess all risks. Depending on how much and what information is handled during telework, the measures taken will be more stringent or weaker.

woman typing on laptop

You are not alone

How does a digital tool like Phronesys help you with these tasks?

  • Fly through your risk analyses using simple, ready-made flows;
  • Manage all rights and privileges wherever and whenever you want;
  • Easily track your processes digitally with associated goals and SMART KPIs;
  • Thanks to automatically generated reports, gain seas of time for analysis and actual continuous improvement;
  • Always process your information with confidence in our 100% secure digital environment.

Want to know more about all the possibilities with Phronesys? Check out our modules Or request a no-obligation demo to! Contact us without obligation to discuss how we can support you.

Contact us

Related Posts