A.6.7 Remote Working
What is this control?
ISO 27001 control A.6.7 Remote Working establishes security measures for remote working based on Zero Trust architecture where security is enforced through continuous identity verification and device posture assessment on every access attempt rather than relying on physical location or network perimeter. The organisation implements Conditional Access policies requiring both MFA and Intune device compliance, Microsoft Entra Global Secure Access for traffic inspection, and device encryption.
How to implement in Microsoft 365
Implement A.6.7 by configuring a Zero Trust Conditional Access policy requiring both multi-factor authentication and Intune device compliance with grant operator set to require all controls for all remote access. Devices that are not Intune-compliant are either blocked or routed to a Limited Access session with reduced permissions. Deploy Microsoft Entra Global Secure Access client on all managed endpoints to route all traffic through the organisation’s Secure Service Edge for inspection.
Enforce full disk encryption via BitLocker for Windows and FileVault for macOS via Intune compliance policy. Configure screen lock timeout after 5 minutes of inactivity.
What an auditor looks for
Auditors will verify Conditional Access policy enforcing Zero Trust with both MFA and device compliance requirements. They will check Conditional Access policy configuration showing Require all the selected controls for grant operator. Auditors will review Microsoft Entra Global Secure Access deployment evidence with active client status.
They will verify Intune device compliance policies requiring BitLocker and FileVault encryption. Auditors will check Intune configuration profiles enforcing screen lock timeout of 300 seconds or less. They will verify device compliance status showing 95% or higher encryption coverage.