Remote Work Policy: IT Security When Working from Home

Why remote work needs its own policy

The office is a controlled environment. The network is managed by IT, physical access is regulated, workstations are standardized, and the security infrastructure (firewall, IDS, network segmentation) protects all devices equally.

Working from home dissolves this protective shield. The employee sits on their own Wi-Fi, which may be secured with the router's default password. The children share the same network for online gaming. The screen is visible from the dining table where guests are sitting. Confidential documents lie on the kitchen table because the printer is in the living room. And if the laptop is stolen, it is not just a device that is gone but complete access to the corporate network.

All of this sounds like isolated cases but happens thousands of times daily. A remote work policy defines the rules that ensure working from home does not become a security risk. It supplements the general information security policy with the specific requirements of the remote workplace.

What the standards require

ISO 27001

ISO 27001 addresses remote work in A.6.7 (Remote Working). The control requires that security measures are implemented when employees work outside company premises. The measures must cover the physical working environment, communication, remote access to systems, and the security of the devices used.

Additionally relevant are A.8.1 (User endpoint devices) for device security and A.8.20 (Networks security) for secure network connections.

NIS2

NIS2 requires appropriate technical and organizational measures in Article 21 to protect network and information systems. Remote work significantly expands the attack surface, and without documented measures, you lack evidence that you are addressing this risk.

BSI IT-Grundschutz

The BSI dedicates the module OPS.1.2.4 (Telework) and INF.9 (Mobile Workplace) to the topic. Both contain detailed requirements that can serve as guidance for your policy.

Scope

The policy must clearly define who it applies to and which types of work it covers.

Telework (home office): Regular work from the employee's private residence, with a permanently set up workplace.

Mobile work: Occasional work on the go (train, hotel, cafe, at a client's site). Requirements here are partly stricter because the environment is less controllable.

Hybrid work: Combination of office and remote work. The most common work arrangement in many organizations.

The policy applies to all employees who work fully or partially outside company premises, including external staff and service providers to the extent they remotely access company systems.

Technical requirements

Devices

The policy must specify which devices are approved for remote work.

Company-owned devices (preferred): Laptops provided and managed by the company are the most secure option. IT has control over configuration, updates, encryption, and installed software. The policy should define company-owned devices as the standard.

Personal devices (BYOD): If personal devices are permitted, the policy must define minimum requirements: current operating system, full-disk encryption, antivirus software, automatic updates. Mobile Device Management (MDM) or a container solution that separates business and personal data is recommended.

Regardless of device type, the policy requires:

• Full-disk encryption: BitLocker (Windows), FileVault (macOS), or equivalent. Without encryption, a stolen or lost laptop represents a complete data breach.
• Automatic screen lock: After a maximum of five minutes of inactivity.
• Current operating system and patches: Security updates are installed promptly, ideally automatically.
• Endpoint protection: Antivirus/EDR solution active and up to date.
• No local administrator rights: Employees cannot install arbitrary software.

Network connection

The connection from home to the corporate network is the most critical point.

VPN requirement: The policy defines that access to internal systems is exclusively through the corporate VPN or an equivalent zero-trust solution. Direct access to internal resources without VPN is not permitted.

Wi-Fi security: The policy recommends securing the home Wi-Fi with WPA3 (or at minimum WPA2 with a strong password) and prohibits using open or unknown Wi-Fi networks for professional purposes.

Split tunneling: The policy specifies whether split tunneling (only corporate traffic over VPN, personal traffic directly to the internet) is permitted. Full tunneling provides more security because all data traffic flows through the corporate infrastructure where it is filtered. Split tunneling reduces VPN infrastructure load but provides less protection.

Hotspots and public networks: The policy prohibits using public Wi-Fi (hotel, cafe, airport) without an active VPN connection. As an alternative, a mobile hotspot (smartphone tethering) should be used.

Authentication

MFA requirement: Multi-factor authentication is mandatory for remote access to company systems. This applies to VPN, email access, cloud services, and all other externally accessible systems.

Password policy: The general password policy applies without restriction when working remotely.

Session timeouts: Sessions are automatically terminated after a defined period of inactivity. The employee must re-authenticate.

Physical security when working from home

IT security when working from home is not limited to technology. The physical environment plays an equally important role.

Work environment

The policy recommends (or requires, depending on company size and protection requirements):

• Separate workspace: Ideally a lockable home office. If that is not possible, the workplace must be positioned so that the screen is not visible to third parties (family members, visitors).
• Privacy screen: For work in areas where third parties could see the screen. Optional when working from home; recommended for mobile work (train, cafe).
• Lockable storage: Confidential documents are stored in a lockable cabinet or pedestal, not openly on the desk.

Documents and printouts

• Printing: The policy defines whether printing at home is permitted and which classification levels are excluded. Confidential and strictly confidential documents per the classification policy should not be printed at home.
• Disposal: Printouts with internal or confidential information are not disposed of in household waste but shredded with a cross-cut shredder (security level P-4 or higher) or brought to the office for secure disposal.
• Storage: Business documents are not permanently stored at home but are brought back to the office after use or filed digitally.

Phone calls and video conferences

• Confidential conversations: Conversations with confidential content are not conducted within earshot of third parties. During video conferences, care is taken that no confidential information (whiteboards, screen contents, documents) is visible in the background.
• Headset: Using a headset is recommended to prevent eavesdropping.
• Background: Use a neutral or virtual background in video conferences when the home environment is unsuitable.

Data storage and cloud usage

The policy governs where and how data is stored when working remotely.

No local storage: Business data is not stored locally on the device but on central company systems (file server, cloud drive, DMS). Local copies are only permissible for active editing and are deleted afterward.

Approved cloud services: Only company-approved cloud services may be used for storing and sharing business data. Personal cloud storage (personal Dropbox account, personal Google Drive) is prohibited for business data.

USB drives and external storage: The use of personal USB drives and external hard drives for business data is prohibited or severely restricted (see removable media policy).

Handling security incidents when working remotely

The incident response policy also applies when working from home. The remote work policy supplements it with specific aspects:

Reporting obligation: Security incidents (loss or theft of device, suspected malware, unauthorized access to the workplace, suspicious emails) are reported immediately to IT or the ISO, including outside business hours.

Reachability: Contact information for reporting security incidents must be available offline as well (not only on the intranet but also on the mobile phone or printed out).

Device loss: In case of loss or theft of the device, IT is informed immediately. The device is remotely locked or wiped (remote wipe). Credentials are reset.

Network anomalies: If the employee notices unusual behavior of their device or network (e.g., unexplained pop-ups, slow connection despite good internet, unknown processes), they report it to IT — even if it turns out to be harmless.

Responsibilities

Employees: Compliance with the policy, incident reporting, securing the physical environment, participation in training.

IT department: Provision and configuration of devices, VPN infrastructure, endpoint management, support for technical issues when working remotely.

ISO: Creation and maintenance of the policy, compliance monitoring, risk assessment of the remote work situation.

Supervisors: Ensuring that employees know and comply with the policy. Supporting the setup of a suitable workspace.

Executive management: Approval of the policy, provision of resources (devices, VPN licenses, privacy screens, shredders).

Training and awareness

Employees who work remotely need specific training:

• One-time training at the start of remote work: Technical setup, VPN usage, physical security, reporting channels.
• Annual refresher: Current threats (phishing in the remote work context, social engineering over the phone), policy updates, best practices.
• Phishing simulations: Regular phishing tests that also include remote work–specific scenarios (e.g., fake IT support emails asking to install "VPN updates").

Compliance and controls

The policy must govern how compliance is verified without disproportionately restricting employee privacy.

Technical verification: Automated checks via MDM or endpoint management: Is full-disk encryption active? Are patches current? Is antivirus software up to date?

No surveillance software: The policy clarifies that no software for monitoring work performance is deployed when working remotely. Controls relate exclusively to compliance with security requirements, not to work behavior.

Spot checks: The ISO may conduct spot checks in coordination with the works council (if applicable), e.g., by reviewing device configuration during the employee's next office visit.

Self-declaration: Employees confirm annually (e.g., as part of policy acknowledgment) that they comply with the requirements of the remote work policy and that no significant changes to their work environment have occurred. In ISMS Lite, this annual self-declaration can be mapped as digital acknowledgment, giving you evidence at any time of who confirmed the policy.

Example outline

1. Purpose and scope — Work types, affected personnel
2. Terms and definitions — Telework, mobile work, hybrid work
3. Normative references — ISO 27001 A.6.7, A.8.1, NIS2, BSI OPS.1.2.4
4. Principles — Same security level as in the office, personal responsibility
5. Technical requirements — Devices, encryption, VPN, Wi-Fi, MFA
6. Physical security — Work environment, documents, phone calls
7. Data storage — Central storage, cloud usage, USB prohibition
8. Printing and disposal — Restrictions, document shredding
9. Security incidents — Reporting obligation, device loss, contact information
10. Personal devices (BYOD) — Permission or prohibition, minimum requirements
11. Responsibilities
12. Training and awareness
13. Compliance and controls
14. Violations and consequences
15. Review and update
16. Effective date and approval

Common mistakes in remote work policies

Too restrictive without alternatives

If the policy prohibits everything without offering practical alternatives, employees will find workarounds. Banning USB drives? Then offer a secure cloud transfer. Prohibiting printing at home? Then enable a digital workflow. For every restriction, there must be a viable alternative — otherwise the policy will be circumvented.

Focus only on technology

Many remote work policies concentrate on VPN, encryption, and antivirus but forget physical security and the human factor. Social engineering over the phone, screen contents visible to visitors, or confidential documents in the household trash are risks that no firewall catches.

No differentiation by protection requirements

Not every activity has the same protection requirements. General internet research needs different safeguards than processing personnel files or financial data. The policy can differentiate: routine tasks at home with standard protection, sensitive activities only with enhanced measures (e.g., only in a lockable home office, only on company devices).

Forgotten updates

IT infrastructure changes: new cloud services, new VPN solution, transition to zero trust. If the policy does not track these changes, it becomes increasingly disconnected from reality. An annual review is the minimum. Technical changes to remote access infrastructure should automatically trigger a review of the remote work policy.

Failing to consider the works council

If a works council exists, it has co-determination rights regarding regulations affecting employee behavior at the workplace. The remote work policy should be coordinated with the works council early on, especially aspects such as technical monitoring, spot checks, and control measures.

From policy to secure remote work

A remote work policy must not be a bureaucratic document that prevents employees from working productively from home. It should provide guidance and create a security level that comes as close as possible to that of the office. The more practical and understandable the policy is, the more likely it will be embraced.

ISMS Lite supports the entire policy lifecycle: you create the remote work policy with AI support, version every change, obtain digital acknowledgment from all affected employees, and have management approve it with a signature. This gives you evidence at any time that your employees know the policy and that it is current and effective.

Further reading

• Secure remote work and home office: Practical guide
• Mobile device policy (BYOD/MDM)
• Creating a password policy: Requirements, examples, and enforcement
• Implementing MFA: How to do it right
• Policy lifecycle: From creation to retirement