Internet Access

Although ISO 27001 does not prescribe access to the Internet only through the organization as mandatory, what happens in real life is that this is more a common sense for business practice, as survival and competitive question than a standard's requirement (most of the businesses and their relations go through the Internet).

Considering that, when organizations resources, like email services, are available through direct access to the Internet (e.g., to allow remote work), a common practice is the usage of access through Virtual Private Networks (VPNs), where the organizations implement controls such as protected communication, and access control to limit external access to authorized users, only to needed information, and also can monitor activities and information flow.

A third important point is awareness activities, so employees can understand the importance to access the Internet only through the organization, and the consequences on direct access.

This article will provide you a further explanation about network controls:

• How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

This material will provide you further information about employee awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.