Our startup is preparing for ISO 27001 certification to win enterprise clients. Since we have no physical office, I’m struggling with the physical security controls and asset management requirements. How do we demonstrate "physical" protection of data when everyone is working from home across different states? Does anyone have a checklist for remote-first security compliance?
3 answers
For remote-first companies, the focus of ISO 27001 shifts heavily toward Endpoint Management and Mobile Device Management (MDM). You need to prove that every device accessing your network is encrypted, has up-to-date antivirus, and can be remotely wiped if lost. Instead of "office security," your physical controls should focus on home office policies, such as clean desk policies even in a home setting and the use of privacy screens. You’ll also need to document how you handle the secure disposal of hardware when an employee leaves the company.
Are you currently using a specific MDM provider like Jamf or Intune to enforce these policies? Being able to export a report showing 100% encryption across your fleet is usually enough to satisfy an auditor regarding the "Physical and Environmental Security" domain in a virtual context.
Don't overlook the importance of a solid "Acceptable Use Policy." For remote teams, the legal and behavioral documentation is just as important as the technical controls.
Absolutely, Laura. We found that having staff sign an agreement regarding home Wi-Fi security (like changing default passwords) was a specific point of interest during our stage 1 audit.
Kevin, we are looking at Intune. If we use that to enforce BitLocker and auto-updates, is that sufficient evidence for an auditor, or will they still want to interview individual employees about their home network setups and router security?