Why remote work needs its own policy
Remote and hybrid work move company data onto home networks and personal spaces your perimeter never covered. A remote work policy defines the security conditions under which staff work outside the office, so productivity does not come at the cost of uncontrolled exposure.
What to include
- Scope and eligibility — who can work remotely, from where, and any geographic restrictions.
- Devices — company-managed devices, or BYOD under your BYOD policy; full-disk encryption and screen lock required.
- Network — secure home Wi-Fi (WPA2/WPA3), VPN for internal systems, no sensitive work on public Wi-Fi without VPN.
- Physical environment — privacy screens, locked storage, no confidential calls in public.
- Authentication — MFA for all remote access.
- Data handling — keep company data in sanctioned tools; no local copies on unmanaged devices.
- Incident reporting — how to report a lost device or suspected compromise quickly.
Common mistakes
- Treating remote work as identical to office work — the threat model is different.
- No VPN or unclear rules on public Wi-Fi.
- Silence on the physical environment (shoulder-surfing, household members).
Framework alignment
Maps to ISO 27001:2022 Annex A 6.7 (remote working), supports SOC 2 and the NIST CSF Protect function.