Background
----------

ISO/IEC 27002:2022 clause 7.9 indicates that "Off-site [information] assets should be protected [in order] to prevent [their] loss, damage, theft or compromise ... and interruption to the organization’s operations."


Policy statements
-----------------

1.	Information risks related to off-site work should be identified, evaluated, and managed using risk management techniques and controls tailored to the risks.

2.	Physical security controls for off-site work include minimizing exposure time in hazardous situations, using security cables or other protective equipment and choosing ruggedised devices.

3.	Cybersecurity controls for off-site work involve Mobile Device Management, Virtual Private Networking, data encryption and sound backup arrangements.

4.	Manual controls for off-site work include management authorisation and oversight, minimizing off-site data, respecting policies and procedures, and promptly reporting incidents.

5.	Most information security controls applicable to on-site work should be enforced off-site, with necessary adjustments due to differing circumstances and information risks.

6.	Off-site work may be necessary during emergencies, temporarily adjusting information security controls where appropriate to maintain business continuity.

7.	Information risks and security controls related to off-site work should be periodically reviewed and adjusted in response to changes.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.