Audit checklist points

Considering ISO 27001, please note that the activities users can perform remotely from home is based primarily on the management decision/business need, while the safeguards are determined according to the results of the risk assessment - the audit checklist must take all of these into account.

Normally you should consider at least these points for an audit checklist:
- who may telework (e.g., IT staff, sellers, managers on travel, etc.)
- which services are available for teleworkers (e.g., development environment, invoicing systems, etc.)
- which information can be accessed through telework (e.g., performance dashboards, list of customers, etc.); for more information, see: Information classification according to ISO 27001.
- which access controls shall be applied before access to information and resources is granted (e.g., password, two-factor authentication, use of VPN on communication channels, etc.); for more information, see: How to manage the security of network services according to ISO 27001 A.13.1.2.
- how devices and remote sites should be configured, protected, and used (e.g., devices with cryptography, no use of shared rooms to work, information backup, etc.)

These articles will provide you further explanation about developing this checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
- What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/