Why remote work needs its own security policy
A generic information security policy doesn't cover the specific threats of remote work: unsecured home networks, personal devices, physical eavesdropping, shared households, and the extended perimeter that comes with a distributed team.
ISO 27001 addresses this explicitly with control A.6.7 (Teleworking), which requires security measures for teleworking activities to be implemented and communicated. SOC 2 auditors expect to see documented network security controls (CC6.6) and evidence that transmission is restricted to authorised channels (CC6.7). GDPR Art. 32 requires appropriate technical and organisational measures for all processing of personal data — including processing that happens on a kitchen table in Estonia.
Compliance requirements for remote work security
| Framework | Control | Remote Work Relevance |
|---|---|---|
| ISO 27001 | A.6.7 — Teleworking | Requires documented security measures covering physical access, network security, unauthorised access prevention, and information handling for teleworkers |
| ISO 27001 | A.8.1 — User Endpoint Devices | Information on endpoint devices (including remote work laptops) must be protected against loss, damage, theft, and compromise |
| SOC 2 | CC6.6 — Network Protections | Network and communication channels protected from unauthorised access — VPN and network security controls are primary evidence |
| SOC 2 | CC6.7 — Restricted Transmission | Transmission restricted to authorised channels — data must not flow through personal email, personal cloud, or unapproved channels |
| GDPR / UK GDPR | Art. 32 — TOMs | Appropriate technical and organisational measures apply wherever personal data is processed — including home offices |
| NIS2 | Art. 21(2)(a) / (g) | Security policies covering teleworking; security awareness for remote workers |
| HIPAA | §164.310 / §164.312 | Physical and technical safeguards apply to remote locations where ePHI is accessed |
| PCI DSS v4.0 | Req 8.4.3 — Remote Access MFA | MFA required for all remote network access to the CDE regardless of location |
Device policy: the foundational decision
The first question is: what devices are employees allowed to use for remote work? Your answer shapes every other control.
| Approach | Security Posture | Cost | Use When |
|---|---|---|---|
| Company devices only | Highest — full control over configuration and enforcement | Highest | Handling sensitive data (ePHI, PCI CHD, enterprise customer data) |
| BYOD with MDM enrollment | High — corporate profile separated from personal | Medium | Startup/scale-up wanting flexibility with reasonable security |
| BYOD with security requirements (no MDM) | Medium — reliant on self-certification | Low | Early stage; roles with low data sensitivity |
| Corporate Owned, Personally Enabled (COPE) | High — company owns and configures device | High | When you want full control but allow personal use |
GDPR note on BYOD: MDM enrollment on personal BYOD devices must disclose: what is monitored (work profile only), what can be remotely wiped (work profile data only, not personal), and the legal basis (legitimate interest for security). This must be disclosed at enrollment, not buried in a policy document employees signed in week one.
Mandatory device security controls
Regardless of the device policy, these controls are required for any device accessing company systems:
- Full disk encryption: BitLocker (Windows), FileVault (macOS). Without this, a stolen laptop = data breach. Many GDPR supervisory authorities expect encryption as a baseline TOM; its presence is an Art. 34(3)(a) safe harbour factor for breach notification.
- Screen lock on inactivity: 5 minutes maximum. Configure via MDM where possible to prevent manual bypass. Lock when leaving the desk for any reason.
- EDR / antivirus: Endpoint Detection and Response tool (CrowdStrike, SentinelOne, Microsoft Defender) actively monitoring for malicious activity — not just reactive antivirus scanning.
- OS and software updates within 14 days: The majority of exploited vulnerabilities have patches available. Update delays are the primary driver of ransomware success.
- No local admin rights: Standard users should not have local administrator rights. Admin rights are the difference between a compromised account and a compromised machine.
- Password manager on all devices: Enforces unique passwords per service, eliminates reuse, and makes phishing less damaging when credentials are unique.
Network security: VPN vs Zero Trust
The traditional approach: VPN to tunnel all traffic through the corporate network, where controls (firewall, IDS, DLP) apply.
The modern approach: Zero Trust Network Access (ZTNA) — verify identity and device posture for every request, regardless of network. Rather than "trust everything on the corporate network," ZTNA applies: never trust, always verify.
| Approach | How it works | Suitable for | Key vendors |
|---|---|---|---|
| Traditional VPN | Encrypted tunnel to corporate network; all traffic routed through VPN gateway | Established teams; on-premises systems still relevant | Cisco, Palo Alto, OpenVPN, WireGuard |
| Cloud-native ZTNA | Identity + device posture verified per request; no perimeter to defend | Cloud-native SaaS companies; fully remote teams | Cloudflare Access, Tailscale, Google BeyondCorp |
| Hybrid (VPN + ZTNA) | ZTNA for cloud resources; VPN for legacy on-prem systems | Companies in transition; mixed environments | Zscaler, Palo Alto Prisma |
Split tunnelling caution: Split tunnelling routes corporate traffic through VPN but allows personal traffic to go directly to the internet. The problem: personal browsing on the same network as work systems is a lateral movement risk. If split tunnelling is enabled, ensure DNS filtering applies to all traffic to catch malicious domains.
Home network requirements
You can't control employee home routers, but you can set minimum requirements. Include these in your policy:
- WPA2 or WPA3 Wi-Fi encryption (WEP is broken; WPA is deprecated)
- Strong, unique Wi-Fi password — not the ISP default, not the router model number
- Router admin interface: default credentials changed; admin access disabled from Wi-Fi network (management on wired only)
- Router firmware kept updated — many home routers have unpatched RCE vulnerabilities
- Work devices on a separate SSID / guest VLAN from personal/IoT devices
- WPS disabled — WPS PIN brute force is a known attack vector
Public Wi-Fi rule: Public networks (cafés, airports, hotels) are treated as hostile. VPN must be active before opening any work application. If VPN is unavailable, use a mobile hotspot.
Data handling at home
The most common remote work data incidents aren't technical — they're operational:
- Emailing documents to a personal address "for convenience"
- Saving files to personal Google Drive or Dropbox
- Leaving sensitive documents on screen during a video call
- Printing confidential documents at home without a shredder
- A household member using the work laptop "just quickly"
Your policy must address these explicitly. A blanket "follow data classification policy" is not enough — spell out what is and is not acceptable in a home environment.
GDPR Art. 32 TOM implication: Personal data processed at home must be subject to the same controls as in the office. If your office has clear desk policy, clear screen policy, and access controls, your home working policy must translate these into practical home environment requirements.
GDPR employee monitoring disclosure
This is where many companies get it wrong. You have a legitimate interest in monitoring company devices for security purposes — but you must disclose this, and the scope of monitoring must be proportionate.
What is and is not proportionate:
| Monitoring type | Proportionate? | Disclosure required |
|---|---|---|
| Authentication event logging (logins, logouts, failed attempts) | ✅ Yes | Yes — in Employee Privacy Notice and this policy |
| VPN connection metadata (when, volume, destination IPs) | ✅ Yes | Yes |
| MDM device health status and compliance posture | ✅ Yes | Yes |
| DLP events (data transferred outside approved channels) | ✅ Yes | Yes |
| Email content monitoring for security keywords | ⚠️ Proportionate only for specific investigations | Yes — disclose policy and triggers |
| Continuous screen recording / screenshot capture | ❌ Disproportionate for general monitoring | N/A — should not be implemented for remote workers without specific justification |
| Webcam monitoring at home | ❌ No — highly disproportionate and likely unlawful | N/A — prohibited |
| Personal browsing history on personal profile of BYOD device | ❌ No — work profile should be MDM-isolated | N/A — should not occur |
Country-specific notes: Germany has strong co-determination rights (BetrVG) that may require works council agreement before deploying monitoring tools. France requires CNIL consultation for certain monitoring. Netherlands employee rights are strong. Get local employment law advice before deploying any monitoring beyond basic security logging.
Physical security at home
Often overlooked in remote work policies because it seems obvious. But it's directly relevant to ISO 27001 A.7 (Physical Security) and to personal data breach risk:
- Clear desk and clear screen when not working: sensitive documents locked away; screen locked
- Video calls: what's visible in the background? Home address on documents, whiteboard with sensitive content, confidential documents pinned to walls
- Voice assistants (Alexa, Google Home): should not be in the same room as confidential calls — these devices send audio to cloud servers for processing
- Household members and visitors: work devices are not shared, even with family
- Laptop in vehicles: never left in a visible location; overnight device storage in vehicles not permitted
Lost or stolen device: the 2-hour window
The difference between a lost device that becomes a breach and one that doesn't is often the speed of reporting. Your policy must make this clear:
- Report immediately — not the next morning, not after checking if it turns up
- Security Team initiates remote wipe via MDM within 2 hours of report
- All credentials for apps accessed on that device are invalidated
- Access logs reviewed for last-known secure use to the time of report
- Personal data breach assessment triggered if customer/employee data may have been accessible
Delayed reporting is not just bad practice — if a GDPR breach results, the 72-hour notification window begins when the breach is reasonably suspected, not when it is reported to IT. A 12-hour delay in reporting can make the difference between notification and failure to notify.
Generate your remote work security policy: Remote Work Security Policy Generator, IT & BYOD Policy, Access Control Policy, Information Security Policy, Password & Authentication Policy.
Related reading: IT & BYOD Policy Guide, Access Control Policy Guide, GDPR Art. 32 TOMs Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or security advice. Employee monitoring requirements vary significantly by country; consult local employment law counsel before implementing monitoring on remote worker devices.