Browse Skills

Mobile Device & Teleworking Policy (ISO 27001)

    Compliance Security ISO 27001 ISMS Remote work BYOD
    Get Started with This Skill

    Overview

    Draft and validate a Mobile Device & Teleworking Policy for ISO 27001:2022 (A.5.17, A.6.7, A.8.1). Covers BYOD, VPN, disk encryption, remote wipe consent, endpoint leakage risk, and compliance with Right to Disconnect (France, Brazil, Ireland). Includes labor-law overlap check.

    Example Conversation

    You: We need a Mobile Device & Teleworking Policy for our French entity. We allow BYOD with MDM and want VPN, disk encryption, and remote wipe of work data—but we must respect the droit à la déconnexion.

    Agent: I’ll draft the policy from the template, reference A.5.17, A.6.7, and A.8.1, and add a Right to Disconnect section aligned with Loi 2016. I’ll include informed consent for remote wipe and BYOD controls, then run the labor-law overlap check for France.

    Agent: Running compliance_overlap_check with jurisdiction FR on the draft…

    Agent: Compliance Overlap Check — Result: 2 potential conflict(s) found. One line required “emergency contact” details without narrowing to genuine emergency; another mentioned monitoring “at any time.” I’ve revised both: emergency contact is now limited to “genuine emergency or exceptional circumstances,” and monitoring is scoped to work-related use with prior informed consent. Re-running the check…

    Agent: Re-run result: No conflicts flagged; alignment language present. The policy is ready for legal/HR review.

    What the Tools Validate

    The skill includes one validation tool that runs against the policy document:

    compliance_overlap_check ensures the remote work policy does not conflict with local labor law (e.g. Right to Disconnect):

    • Conflict patterns — Flags clauses that may breach labor-law expectations:
      • 24/7 or constant availability (contactable at all times, around the clock)
      • Obligation to be available or contactable outside working hours without narrowing
      • Unqualified expectation to respond promptly to calls/emails/messages
      • Broad emergency contact requirement without “genuine emergency” or “exceptional circumstances”
      • Monitoring or inspection of devices/activity without consent or scope (e.g. “at any time”)
      • Remote wipe mentioned without prior written consent and clear scope (work data only)
    • Alignment check — Confirms the document contains labor-law-friendly language: right to disconnect, normal working hours, genuine emergency, exceptional circumstances, informed consent, or that staff are not routinely required outside hours.
    • Jurisdiction — Optional parameter (FR, BR, IE, or ALL) tailors the report to France (droit à la déconnexion), Brazil (Lei 22.369/2023), Ireland (WRC Code), or generic overlap.

    The tool reports line-level conflicts with suggestions, and whether alignment language is present. Run after drafting or revising the policy; fix flagged clauses and re-run until no conflicts remain.

    Output Excerpt

    A condensed excerpt from a generated Mobile Device & Teleworking Policy (France), after compliance overlap check:

    **Normative references:** ISO/IEC 27001:2022 (A.5.17, A.6.7, A.8.1). France Loi 2016-1088 (droit à la déconnexion).

## 4. Right to Disconnect and Working Hours

- The organisation respects the right to disconnect. Personnel are not required to be contactable outside **normal working hours** except in **genuine emergency** or **exceptional circumstances** as defined in the internal Right to Disconnect charter.
- Out-of-hours contact must be limited to genuine emergency or critical business continuity need. This aligns with Loi 2016-1088 and the company charter on use of digital tools.
- Monitoring or access to devices must not create an expectation of availability outside normal working hours. Technical controls (e.g. MDM) must be disclosed and consented to; scope limited to work-related use.

## 6. VPN and Network Security

- Access to internal systems from outside the corporate network must use the organisation's approved **VPN**. VPN must be used when handling Confidential or Restricted information over untrusted networks (e.g. public Wi‑Fi, home networks). Home networks must meet minimum requirements: WPA2/WPA3, changed default router credentials.

## 7. Disk and Data Protection

- **Full-disk encryption** (BitLocker, FileVault, or platform equivalent) must be enabled on all devices used to access organisational data.

## 8. Remote Wipe and Device Control

- Where the organisation operates **remote wipe** or device lock/erase capabilities (MDM/EMM), affected personnel must give **prior written consent**. Wipe must be limited to work data or organisation-managed workspace; personal data must not be erased without separate legal basis.

    Run compliance_overlap_check with the appropriate jurisdiction (FR, BR, IE) before finalising so the policy satisfies both ISO 27001 and local labor law.

    Getting Started

    Add your source materials (e.g. existing HR charter, Right to Disconnect policy) to the project workspace, then activate the Mobile Device & Teleworking Policy (ISO 27001) skill. The agent will guide you through drafting from the template, filling VPN/encryption/remote wipe and BYOD rules, and validating labor-law alignment with the compliance overlap check.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started