The answer to “does remote work security require a vpn” is no: ISO 27001 does not mandate a VPN for every remote employee. ISO 27001 Annex A control 6.7 requires security measures that protect information during remote work, but organizations may satisfy that outcome through risk-based combinations of identity controls, managed endpoints, encryption, zero-trust access, virtual desktops, VPNs, and other safeguards. A VPN is appropriate when it addresses a documented risk, not simply because an employee works away from the office.
Why is the VPN-for-everyone misconception so widespread?
The myth comes partly from how remote access worked before cloud applications became common. Employees once needed a network-level connection to reach file shares, intranet applications, databases, and other services hosted inside the corporate perimeter. A VPN effectively extended that perimeter to the employee’s location, so remote work and VPN use became nearly synonymous.
Many policies retained that language even after business systems moved to Microsoft 365, Salesforce, Workday, ServiceNow, and other software-as-a-service platforms. Routing an employee through a corporate VPN before allowing access to a cloud service may add little protection if the organization already enforces strong authentication, device compliance, session controls, and encryption directly at the service.
The misconception is also reinforced by simplified audit questions such as, “Do remote workers use a VPN?” That question is easy to answer but does not test the full control. A VPN can encrypt traffic across an untrusted network, yet it does not prove that the user is legitimate, the endpoint is healthy, downloaded information is controlled, or privileged activity is monitored.
For a compliance officer, the important distinction is between a familiar control and a required outcome. Treating a VPN as universally mandatory can create unnecessary licensing costs, performance problems, and operational exceptions while leaving more material risks inadequately addressed.
What does ISO 27001 say when you ask: does remote work security require a vpn?
ISO 27001:2022 Annex A control 6.7, Remote Working, states: “Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.”[1]
The wording establishes an outcome without prescribing a particular technology. Each part has practical significance:
- “Security measures shall be implemented” means that documented intentions are not enough. The organization needs controls that are deployed, operating, and supported by evidence.
- “When personnel are working remotely” covers more than full-time home workers. It can include hybrid employees, contractors, business travelers, temporary locations, coworking spaces, and personnel accessing information from customer sites.
- “To protect information” makes information risk the focus. The objective is not merely to create a secure network tunnel but to preserve appropriate confidentiality, integrity, and availability.
- “Accessed, processed or stored” addresses the information lifecycle. Controls should cover viewing cloud data, editing records, downloading files, printing documents, synchronizing local copies, and retaining information on remote devices.
- “Outside the organization’s premises” recognizes that physical and network conditions are less directly controlled. The response should account for device loss, shared spaces, untrusted networks, household access, and weaker physical safeguards.
Within an ISO 27001 information security management system, the organization should evaluate these risks, determine whether control 6.7 is applicable, and document its treatment in the Statement of Applicability and related risk records. An auditor will generally look for a defensible connection among the risks identified, the measures selected, the remote-working policy, and evidence that those measures operate. Requiring a VPN for every employee is only one possible treatment decision, not the text of the control.
What is the right way to secure remote work step by step?
1. Which remote-working scenarios are actually in scope?
Start by identifying who works remotely, which information they handle, and how they reach it. Separate ordinary SaaS users from software developers, finance personnel, system administrators, call-center staff, contractors, and executives handling highly sensitive material. Include hybrid work, travel, emergency access, and approved use of personal devices rather than limiting the assessment to employees formally classified as remote.
Record the applications used, data classifications involved, device ownership, expected locations, and whether access reaches a cloud service or a private network. This prevents one control design from being applied indiscriminately to materially different risks.
2. What risks exist in each access path?
Assess realistic events such as credential theft, unmanaged devices, malware, local data retention, shoulder surfing, insecure home routers, lost laptops, unauthorized printing, and privileged access from compromised endpoints. Consider both likelihood and business impact using the risk method already defined in the ISMS.
Do not assume that public Wi-Fi automatically creates a VPN requirement. Modern applications using correctly configured TLS already encrypt traffic in transit, although a VPN may still be justified for network privacy, private-resource access, or defense against specific local-network threats. Conversely, a VPN does not make a malware-infected personal laptop acceptable for sensitive access.
3. Which access architecture best treats each risk?
Select controls according to the resource, device, user, and data involved. The following examples illustrate how a mid-market organization might make and document that decision:
| Remote scenario | Suitable control pattern | Example configuration | Useful audit evidence |
|---|---|---|---|
| Managed laptop accessing Microsoft 365 | Direct SaaS access with identity and device controls | Microsoft Entra ID phishing-resistant MFA, Intune compliant-device requirement, Defender for Endpoint, and blocked legacy authentication | Conditional Access policy export, Intune compliance report, and MFA registration report |
| Employee accessing an internal finance application | Application-specific zero-trust access or VPN | Cloudflare Access or Zscaler Private Access with identity, device posture, and application-level authorization | Access policy, connector inventory, authentication logs, and quarterly access review |
| Administrator managing private infrastructure | Hardened VPN or privileged access workstation through a controlled gateway | Cisco Secure Client with certificate authentication, MFA, restricted routes, and access limited to management subnets | Firewall rules, VPN configuration, privileged-session logs, and approved administrator list |
| Contractor using an unmanaged personal computer | Browser isolation or virtual desktop with download restrictions | Azure Virtual Desktop with MFA, clipboard controls, drive redirection disabled, and session timeouts | Host-pool settings, contractor approvals, session logs, and data-loss prevention events |
These are examples, not ISO 27001 mandates. The organization should choose equivalent measures that fit its architecture and can be operated consistently.
4. Which baseline safeguards apply regardless of access method?
Establish a minimum remote-work baseline covering supported devices, disk encryption, endpoint detection, patching, screen locking, secure configuration, multifactor authentication, and incident reporting. Define rules for local storage, removable media, printing, confidential conversations, device transport, and disposal of paper records.
Where personal devices are allowed, specify what information they may access and what technical enforcement is required. Mobile application management, containerized corporate data, restricted downloads, or virtual desktops may provide more meaningful protection than sending all traffic through a VPN.
5. How should the policy explain when a VPN is required?
A usable policy should state decision rules rather than making vague claims about “secure remote access.” For example, require the corporate VPN for designated private-network applications and administrative protocols, prohibit access from unmanaged endpoints, and permit direct access to approved SaaS services when conditional-access requirements are satisfied.
Define ownership for approvals and exceptions. A time-limited exception should identify the affected user, business justification, risk owner, compensating controls, expiration date, and required review. This gives compliance teams a traceable process instead of an informal collection of help-desk workarounds.
6. What evidence will demonstrate that the control operates?
Maintain evidence proportionate to the risk: approved policies, risk assessments, architecture decisions, device-compliance reports, authentication logs, VPN or zero-trust configurations, access reviews, training records, incident tickets, and exception approvals. Sample remote access periodically to confirm that blocked devices are actually denied and terminated users lose access promptly.
Review the design when applications migrate to the cloud, device ownership changes, new countries are approved, or incidents expose weaknesses. This keeps the treatment aligned with the requirement instead of preserving a legacy VPN rule after its rationale has disappeared.
Which related remote-work security misconceptions should compliance officers know?
Does a VPN make a personal device trusted?
No. A VPN protects a connection or provides network access; it does not establish that the device is patched, encrypted, malware-free, or controlled by the organization. Device posture checks, endpoint management, restricted sessions, or virtual desktops may still be necessary.
Does ISO 27001 prohibit remote access from public Wi-Fi?
No. Control 6.7 does not name or prohibit particular network types. The organization should evaluate the risk and apply suitable safeguards, which may include TLS, a VPN, phishing-resistant MFA, managed endpoints, and restrictions on handling especially sensitive information in public places.
Is publishing a remote-work policy enough for compliance?
No. The control says measures shall be implemented, so a policy without technical enforcement, training, monitoring, and evidence is unlikely to demonstrate effective operation. Documentation should accurately describe what the organization has deployed and how exceptions are governed.
As your next step, map each remote role and application to its documented risk, required access pattern, control owner, and audit evidence before approving the hybrid-work policy.