# Mobile Device & Teleworking Policy (ISO 27001) > Draft and validate a Mobile Device & Teleworking Policy for ISO 27001:2022 (A.5.17, A.6.7, A.8.1). Covers BYOD, VPN, disk encryption, remote wipe consent, endpoint leakage risk, and compliance with Right to Disconnect (France, Brazil, Ireland). Includes labor-law overlap check. Tags: Compliance, Security, ISO 27001, ISMS, Remote work, BYOD ## Example Prompts - Draft a Mobile Device & Teleworking Policy for our organisation (France) - Add BYOD and remote wipe consent rules aligned with ISO 27001 and Right to Disconnect - Check our remote work policy for conflict with labor law in Brazil URL: https://rakenne.app/skills/remote-work-risk-drafter/index.md Try this skill: https://rakenne.app/a/?skill=remote-work-risk-drafter ## Overview Draft and validate a Mobile Device & Teleworking Policy for ISO 27001:2022 (A.5.17, A.6.7, A.8.1). Covers BYOD, VPN, disk encryption, remote wipe consent, endpoint leakage risk, and compliance with Right to Disconnect (France, Brazil, Ireland). Includes labor-law overlap check. ## Example Conversation > **You:** We need a Mobile Device & Teleworking Policy for our French entity. We allow BYOD with MDM and want VPN, disk encryption, and remote wipe of work data—but we must respect the droit à la déconnexion. > **Agent:** I'll draft the policy from the template, reference A.5.17, A.6.7, and A.8.1, and add a Right to Disconnect section aligned with Loi 2016. I'll include informed consent for remote wipe and BYOD controls, then run the labor-law overlap check for France. > **Agent:** Running `compliance_overlap_check` with jurisdiction FR on the draft... > **Agent:** Compliance Overlap Check — Result: **2 potential conflict(s) found.** One line required "emergency contact" details without narrowing to genuine emergency; another mentioned monitoring "at any time." I've revised both: emergency contact is now limited to "genuine emergency or exceptional circumstances," and monitoring is scoped to work-related use with prior informed consent. Re-running the check... > **Agent:** Re-run result: **No conflicts flagged; alignment language present.** The policy is ready for legal/HR review. ## What the Tools Validate The skill includes one validation tool that runs against the policy document: **`compliance_overlap_check`** ensures the remote work policy does not conflict with local labor law (e.g. Right to Disconnect): - **Conflict patterns** — Flags clauses that may breach labor-law expectations: - 24/7 or constant availability (contactable at all times, around the clock) - Obligation to be available or contactable outside working hours without narrowing - Unqualified expectation to respond promptly to calls/emails/messages - Broad emergency contact requirement without "genuine emergency" or "exceptional circumstances" - Monitoring or inspection of devices/activity without consent or scope (e.g. "at any time") - Remote wipe mentioned without prior written consent and clear scope (work data only) - **Alignment check** — Confirms the document contains labor-law-friendly language: right to disconnect, normal working hours, genuine emergency, exceptional circumstances, informed consent, or that staff are not routinely required outside hours. - **Jurisdiction** — Optional parameter (FR, BR, IE, or ALL) tailors the report to France (droit à la déconnexion), Brazil (Lei 22.369/2023), Ireland (WRC Code), or generic overlap. The tool reports line-level conflicts with suggestions, and whether alignment language is present. Run after drafting or revising the policy; fix flagged clauses and re-run until no conflicts remain. ## Output Excerpt A condensed excerpt from a generated Mobile Device & Teleworking Policy (France), after compliance overlap check: ```markdown **Normative references:** ISO/IEC 27001:2022 (A.5.17, A.6.7, A.8.1). France Loi 2016-1088 (droit à la déconnexion). ## 4. Right to Disconnect and Working Hours - The organisation respects the right to disconnect. Personnel are not required to be contactable outside **normal working hours** except in **genuine emergency** or **exceptional circumstances** as defined in the internal Right to Disconnect charter. - Out-of-hours contact must be limited to genuine emergency or critical business continuity need. This aligns with Loi 2016-1088 and the company charter on use of digital tools. - Monitoring or access to devices must not create an expectation of availability outside normal working hours. Technical controls (e.g. MDM) must be disclosed and consented to; scope limited to work-related use. ## 6. VPN and Network Security - Access to internal systems from outside the corporate network must use the organisation's approved **VPN**. VPN must be used when handling Confidential or Restricted information over untrusted networks (e.g. public Wi‑Fi, home networks). Home networks must meet minimum requirements: WPA2/WPA3, changed default router credentials. ## 7. Disk and Data Protection - **Full-disk encryption** (BitLocker, FileVault, or platform equivalent) must be enabled on all devices used to access organisational data. ## 8. Remote Wipe and Device Control - Where the organisation operates **remote wipe** or device lock/erase capabilities (MDM/EMM), affected personnel must give **prior written consent**. Wipe must be limited to work data or organisation-managed workspace; personal data must not be erased without separate legal basis. ``` Run `compliance_overlap_check` with the appropriate jurisdiction (FR, BR, IE) before finalising so the policy satisfies both ISO 27001 and local labor law. ## Getting Started Add your source materials (e.g. existing HR charter, Right to Disconnect policy) to the project workspace, then activate the *Mobile Device & Teleworking Policy (ISO 27001)* skill. The agent will guide you through drafting from the template, filling VPN/encryption/remote wipe and BYOD rules, and validating labor-law alignment with the compliance overlap check. --- Back to [Skill Library](https://rakenne.app/skills/index.md)