It is the IT Security policy I am working on.
We are a fully remote working organisation so I have included the remote teleworking activities because that is where we all work. We do not have any offices. WE also do not have any paper based information
The IT Security policy takes the position that an organisation has offices and staff may need to work remotely/teleworking.
For example, section 3.12
We do not have any paper or paper storage
We don’t have offices so protection of shared facilites and equipments never arises
Or 3.1.7 Teleworking
We all work remotely so does not need to be authorized as remote/teleworking is part of our employment contract.
We apologize for these problems - you are right, these elements of the IT Security Policy are not best suited for fully remote organizations, and we are working on making the appropriate corrections.
There are three options you can take:
(1) develop the IT Security Policy from a Word template where you can edit everything according to your preferences (we will send you the template free of charge) and then upload this document to Conformio, or
(2) declare the control A.11.2.9 Clear desk and clear screen policy as not applicable in your Statement of Applicability (you can do this only if there are no larger risks or requirements from interested parties), and then the sections "3.12.1. Clear desk policy" and "3.12.3. Protection of shared facilities and equipment" will be automatically deleted from the IT Security Policy, or
(3) adapt the text in Conformio's IT Security Policy according to the suggestions below:
- 3.12.1. Clear desk policy - leave the text as it is, because your remote employees might have some paper documents in the future (e.g., printed unlock keys for encrypted disks, Disaster Recovery Plans, etc.).
- 3.12.3. Protection of shared facilities and equipment - write the following "Facilities for dispatch and receipt of postal email are not existing in employee's home offices, and are protected by (this is not applicable)."
- 3.17 Teleworking - write the following "Teleworking must be authorized by the CEO by signing the employment contract."