Publication Summary

Title	Remote Working Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.9 Yearly
Date of issue	June 7, 2025
Owner	CEO/Founder
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	June 7, 2025	Olaf Jacobson	First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Putting a remote working arrangement in place 5

2.1 Initial risk assessment 5

2.1.1 Nature of the work 5

2.1.2 Physical security 5

2.1.3 Insurance 6

2.2 Facilities provided 6

2.2.1 Equipment 6

2.2.2 Communications 6

2.2.3 Backup and virus protection 6

2.2.4 Technical support 7

2.3 Agreement termination 7

Introduction

A remote working arrangement is a voluntary agreement between the organization and the employee. It usually involves the employee working from home in a separate area of their living accommodation, whether this is a house, apartment, or other type of domestic residence.

The introduction of a remote working arrangement, when managed effectively, has the potential to benefit both the individual and the organization. The individual will gain greater flexibility in working arrangements and possibly avoid a lengthy commute to and from an office. The organization can retain skilled and experienced staff whose circumstances suit teleworking and possibly save money on the rental, lease or purchase of office space.

This policy sets out the key information security-related elements that must be considered in agreeing a remote working arrangement. It ensures that all the necessary issues are addressed and that the organization’s information assets are protected.

This policy does not address the human resources aspects of teleworking such as health and safety, absence monitoring, job performance and contractual issues. These will be handled by the HR department and must also be in place before the remote working arrangement begins.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Access Control Policy

• Mobile Device Policy

• User Access Management Process

• Cryptographic Policy

Purpose of this document

This document sets out the organization’s policy with respect to remote working.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

• A.5.1 Policies for information security

• A.6 People controls

• A.6.7 Remote working

• A.7 Physical controls

• A.7.9 Security of assets off-premises

Putting a remote working arrangement in place

From an information security point of view there are various aspects that need to be considered in each remote working arrangement and the policy of the organization in these areas is set out in the following sections.

Initial risk assessment

Before a remote working arrangement can commence there will be an initial risk assessment of the proposed environment and nature of the work to be carried out.

Nature of the work

A major part of the risk assessment concerns the type of activities that are to be carried out as part of the arrangement. A full understanding needs to be gained of:

• The classification of the information that will be stored and processed as part of the role

• The method of access of the information

• Whether the role requires that classified information is printed locally

• The business criticality of the role and the consequences if it were unavailable

Physical security

The risk assessment will also consider the physical security of the proposed work location:

• Is there enough room to house the required equipment safely?

• Is it in a separate area of the living accommodation?

• Can the work area be secured e.g. via a locked door when not in use?

• Who else has access to the work area?

• Will the equipment be visible from outside the accommodation e.g. through a window?

• What is the likelihood of theft in the surrounding area?

• Can paper documents be locked away securely?

• Is there adequate and reliable power supply to the work area?

Insurance

The impact of remote working on the individual’s home insurance must be investigated to ensure that any policies currently in place remain valid. Additional insurance may be required and if so, it should be agreed in advance how this will be funded.

Facilities provided

The organization’s policy regarding the provision of facilities to enable remote working is detailed below.

Note that all of the provisions in the Soon Technologies B.V. Mobile Device Policy also apply to the remote working environment and this document must be read and understood by all parties involved.

Equipment

Only client equipment provided by Soon Technologies B.V. for the purpose of remote working must be used to access company networks. The individual’s own devices such as laptops or PCs must not be used for this purpose.

According to requirements, the remote worker may be provided with:

• A laptop, tablet or desktop PC with keyboard and mouse

• A printer

• Desk and chair

• Secure storage e.g. drawers or a cupboard

• Other items as required for the role

This equipment always remains the property of the organization.

Communications

In addition to client equipment the remote worker will, wherever possible, be provided with a physically separate communications link which is not connected in any way to existing domestic broadband or similar. This is to ensure that:

• Network performance is not affected by other activities in the household

• The configuration of the router can be security-hardened according to organization policy

• The ability for other devices to connect to this link can be prevented through the protection of network keys etc.

A Virtual Private Network (VPN) will be used to ensure that all network traffic from the remote worker client to organization servers is encrypted to organization standards.

Where public cloud services are accessed directly by the remote worker, appropriate end-to-end encryption must be in place, in accordance with the Cryptographic Policy.

Backup and virus protection

Where possible, no data will be stored on the client machine. If this is unavoidable it is the responsibility of the remote worker to ensure it is backed up to the corporate network as soon as possible.

Virus protection will be provided on all relevant equipment and configured to update automatically on connection to the corporate network.

Technical support

Technical support of all supplied equipment will be provided by the [IT Support Desk].

Agreement termination

If the remote working agreement is terminated for any reason, all equipment that was supplied as part of the arrangement must be returned to the [IT Support Desk] as soon as possible.