It is very common these days fro businesses to outsource software developement and have contractors work as part of a team. I am hoping for advice to control these developers...
We have several developers that are contractors but they are working as part of several internal teams. They are in a different country and have their own laptops, internet connections (and offices) - my company prefers not to purchase and provide a laptop and the deveopers prefer to use their own - but will not allow any software to be put on their laptops or to control their laptop in anyway.
As part of our ISO 27001 controls - they need access to our Microsoft Devops environment and also have access to outlook, teams and Sharepoint.
We are looking to put in place a rule (somehow - Azure or endpoint manager ??advice??). that says the laptop/computer must have encrypted drives, Antivirus, be up to date with O/S patches..... as a minimum to connect for standard development.
While not completely controlling the laptops/computers - would this be enough for most people to allow ?? Would this pass the general acceptability for most companies who have ISO 27001 ?
(We have a requirement already that access to live Private data or information would require a company owned laptop)
Any advice is welcome....
Please note that is not our policy to provide recommendations about specific solutions or technologies to manage endpoints or the environments they access, so we can advise only about rules you should consider when evaluating such items.
Considering that, rules you should consider for those laptops/computers are access control for the accessed environment, use of protected channels to access the environment (e.g., use of VPN), use of encrypted drives, antivirus and updated OS and other required software (as you suggested), and use of backup.
About fit for purpose, provided these adopted controls decrease identified relevant risks to acceptable levels, and fulfill applicable legal requirements this would be acceptable for ISO 27001 certification purposes.
For example, specific information security or privacy laws and regulations (e.g., EU GDPR, HIPAA, etc.), and security clauses in contracts with clients (e.g., contractual clauses requiring the use of specific cryptography for storage devices).
Please note that, to enforce the application of such controls, you need to have signed contracts with these contractors, where such contracts will have information security clauses related to the controls you want the contractors to follow.