What the auditor wants to verify
Audit objective
Verify that remote working is authorized, risk-assessed, controlled, and reviewed for people, locations, activities, data, equipment, and connections.
The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.
Evidence to request
| Evidence | Purpose |
|---|---|
| Remote working policy | Shows remote work rules are documented |
| Remote working authorization register | Shows approved users, activities, locations, data, and controls |
| Remote working risk assessment | Shows remote risks were assessed |
| Asset register entries | Shows remote equipment is tracked |
| Secure connection configuration | Shows remote links are protected |
| MFA/access control records | Shows remote access is restricted |
| Endpoint security records | Shows remote devices are protected |
| Non-work use rules | Shows personal-use risks are managed |
| Training/awareness records | Shows users know remote work duties |
| Control verification records | Shows controls were checked before authorization |
Strong evidence
Strong evidence test
Prefer sampled records that connect authorized person, location, activity, data, device, required controls, and verification.
- Remote workers, activities, locations, and data access are authorized.
- Remote access is limited to required information.
- Devices are managed, encrypted, patched, and inventoried.
- Secure access methods and MFA are enforced.
- Physical security expectations are defined for home and public locations.
- Non-work use rules are documented.
- Control verification exists before or during authorization.
- Remote work risks are reviewed when conditions change.
Weak evidence
Weak evidence warning
Weak evidence proves remote access exists, not that remote working is controlled.
- VPN exists but no authorization register.
- No record of allowed locations, activities, or data.
- Personal devices are used without documented controls.
- Remote equipment missing from the asset register.
- No public-location rules.
- No non-work use policy.
- No verification that required controls are in place.
Sample interview questions
Ask remote workers
- What information are you allowed to access remotely?
- Can you work from public locations?
- What do you do with printed confidential information at home?
- Can family members or visitors use your work device?
Ask IT or security
- How is remote access secured and monitored?
- Are remote devices encrypted, patched, and inventoried?
- How do you restrict remote access to required information?
Ask managers
- How do you authorize remote work?
- How do you verify required controls are in place?
Common nonconformities
- Remote work allowed without documented authorization.
- Remote devices not in asset inventory.
- No remote working risk assessment.
- No restrictions on data, location, or activity.
- Personal use or family use not controlled.
- Secure connection exists but endpoint and physical controls are ignored.
- Controls not verified before authorization.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 7
Note Metadata
Aliases: A.6.7 Evidence
Source: 04 Audit Evidence Packs/A.6.7 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.6.7 - Remote Working
- Audit Evidence MOC
- AQ-ISO27001-A.6.7 Remote Working
- A.6 People Controls Audit Guide
- ISO27001-A.6.7 Remote Working
- A.6.7 Audit Checklist
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Remote Working Security Checklist
- Audit Evidence Index