IT Security

Written by Policy Pros, UK Policy Writing Specialists at Policy Pros

Last reviewed:

Written by Joanne Hughes, Policy & Compliance Specialist at Policy Pros

Last reviewed: March 2026

Remote Access Policy Writers

Remote and hybrid working have become a permanent feature of the UK workplace. Whether employees are connecting from home, from client sites or while travelling, organisations must have a clear and enforceable remote access policy that governs how systems and data are accessed from outside the corporate network. Without such a policy, organisations expose themselves to significant cyber security risks, potential data breaches and non-compliance with UK data protection and security regulations.

At Policy Pros, we write bespoke remote access policies for organisations of all sizes. Our policies are aligned with UK GDPR, the Cyber Essentials scheme, the Network and Information Systems (NIS) Regulations 2018 and ISO 27001, ensuring that your organisation can offer flexible working arrangements without compromising security or compliance.

What a Remote Access Policy Must Cover

A remote access policy defines who can access the organisation's systems and data remotely, from where, using what devices, and under what conditions. It is a critical component of any organisation's information security management system (ISMS) and is specifically referenced in the Cyber Essentials scheme and ISO 27001 Annex A controls.

At its core, a remote access policy must address the following areas:

  • Who is authorised to access systems remotely: The policy must define which employees, contractors and third parties are permitted to access the organisation's network and applications from external locations. Access should be granted on a need-to-know basis, aligned with the principle of least privilege.
  • What systems and data can be accessed: Not all systems should be available remotely. The policy should specify which applications, databases, file shares and services are accessible from outside the corporate network and which require on-site access only.
  • From where access is permitted: The policy should address whether access is restricted to the UK or permitted from overseas locations. Accessing systems from countries without adequate data protection laws may raise UK GDPR compliance issues, particularly if personal data is involved.
  • What devices may be used: The policy must state whether access is restricted to corporate-managed devices or whether personal devices (BYOD) are permitted, and under what conditions.

VPN Requirements and Acceptable Use

A Virtual Private Network (VPN) creates an encrypted tunnel between the user's device and the organisation's network, protecting data in transit from interception. For many organisations, a VPN is the primary mechanism for securing remote access, and the remote access policy should set out clear rules for its use.

The policy should specify:

  • That all remote connections to the corporate network must be made through the approved VPN
  • That split tunnelling (where some traffic bypasses the VPN) is prohibited unless explicitly authorised by the IT security team
  • That the VPN client must be kept up to date with the latest patches and security updates
  • That VPN connections must not be shared with other users or used to provide third parties with access to the network
  • Session timeout settings to ensure that idle connections are terminated after a defined period

UK GDPR Article 32 requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of personal data in transit. A properly configured VPN is one of the most effective ways to meet this requirement for remote workers. The NIS Regulations 2018, which apply to operators of essential services and relevant digital service providers, impose similar obligations regarding the security of network and information systems.

Multi-Factor Authentication Under Cyber Essentials

The NCSC Cyber Essentials scheme, which is a baseline cyber security standard widely adopted across the UK, requires multi-factor authentication (MFA) for all cloud services and for any remote access to the organisation's network. MFA requires users to provide at least two forms of verification before access is granted, typically something the user knows (a password) and something the user has (a code from an authenticator app or a hardware token).

Since the Cyber Essentials requirements were updated, MFA is mandatory for all user accounts that are accessible from the internet. This includes email accounts, cloud-based file storage, VPN connections and any web-based applications that contain business or personal data. Passwords alone are no longer considered sufficient, as credential theft through phishing, brute force attacks and data breaches remains one of the most common attack vectors.

The remote access policy should mandate MFA for all remote connections and specify the approved methods of authentication. It should also prohibit the use of SMS-based one-time passwords where possible, as these are considered less secure than app-based authenticators or hardware security keys. ISO 27001 control A.8.5 (Secure Authentication) similarly requires organisations to implement strong authentication mechanisms appropriate to the sensitivity of the systems and data being accessed.

BYOD Considerations

Bring Your Own Device (BYOD) policies allow employees to use their personal smartphones, tablets and laptops for work purposes. While BYOD can reduce hardware costs and improve employee satisfaction, it introduces significant security risks that must be addressed in the remote access policy.

Key BYOD considerations include:

  • Device security requirements: Personal devices used for work should meet minimum security standards, including up-to-date operating systems, enabled encryption, screen lock with a strong passcode, and current antivirus or endpoint protection software. Cyber Essentials requires that all devices accessing organisational data are securely configured.
  • Separation of personal and corporate data: The policy should specify how corporate data is segregated from personal data on the device, for example through containerisation or mobile device management (MDM) software.
  • Remote wipe capability: The organisation should have the ability to remotely wipe corporate data from a personal device if it is lost, stolen or if the employee leaves the organisation. This must be communicated clearly to employees, and their consent should be obtained.
  • Application restrictions: The policy may restrict which applications can be installed on devices used for work, or prohibit the use of unapproved cloud storage services for corporate data.
  • UK GDPR implications: If personal data is processed on a BYOD device, the organisation remains the data controller and must ensure that appropriate safeguards are in place. This includes conducting a data protection impact assessment (DPIA) where necessary.

For a detailed BYOD policy, see our dedicated BYOD policy writing service.

Privileged Access Management

Privileged access accounts, such as system administrator accounts, database administrator accounts and service accounts, present a particularly high risk when accessed remotely. If a privileged account is compromised, an attacker could gain full control of the organisation's systems, exfiltrate data or deploy ransomware.

The remote access policy should include specific controls for privileged access, including:

  • Restricting privileged access to corporate-managed devices only (no BYOD for admin functions)
  • Requiring additional authentication factors for privileged accounts
  • Implementing just-in-time (JIT) access, where elevated privileges are granted only when needed and automatically revoked after a set period
  • Logging and monitoring all privileged access sessions, with alerts for unusual activity
  • Prohibiting the use of shared or generic administrator accounts

ISO 27001 control A.8.2 (Privileged Access Rights) requires that the allocation and use of privileged access rights be restricted and controlled. The NCSC also publishes specific guidance on protecting privileged accounts, recommending that organisations use dedicated admin workstations that are not used for general browsing or email.

Monitoring and Logging: Balancing Security with Employee Privacy

Effective remote access security requires monitoring and logging of remote sessions to detect unauthorised access, identify policy violations and support incident investigation. However, monitoring must be balanced against the employee's right to privacy under UK GDPR and the Human Rights Act 1998 (Article 8, right to respect for private and family life).

UK GDPR Article 5(1)(a) requires that personal data be processed lawfully, fairly and in a transparent manner. If the organisation monitors remote access activity, employees must be informed about what data is collected, the purpose of monitoring, how long logs are retained and who has access to the data. This information should be set out in the remote access policy and/or a separate employee monitoring policy, and should also be referenced in the organisation's privacy notice.

The Information Commissioner's Office (ICO) has published guidance on monitoring at work, which emphasises that monitoring should be proportionate, necessary and the least intrusive means of achieving the legitimate aim. Blanket surveillance of all employee activity, including personal browsing on BYOD devices, is unlikely to be proportionate and could result in a data protection complaint or claim.

The remote access policy should therefore:

  • State clearly that remote access sessions may be monitored and logged
  • Explain what data is collected (for example, connection times, IP addresses, applications accessed)
  • Specify the retention period for access logs
  • Confirm that monitoring is proportionate and designed to protect organisational security
  • Ensure that employees have acknowledged and understood the monitoring arrangements

Template Policy Structure

A well-structured remote access policy typically follows this format:

  1. Policy statement and purpose
  2. Scope (who the policy applies to, including employees, contractors and third parties)
  3. Definitions (remote access, VPN, MFA, privileged access, BYOD)
  4. Roles and responsibilities (IT, information security, line managers, users)
  5. Authorisation and access request procedures
  6. Approved remote access methods (VPN, secure cloud platforms)
  7. Authentication requirements (passwords, MFA)
  8. Device requirements (corporate-managed and BYOD)
  9. Encryption and data protection requirements
  10. Acceptable use of remote access
  11. Privileged access controls
  12. Monitoring, logging and audit
  13. Incident reporting and response
  14. Non-compliance and disciplinary action
  15. Review date and version control

How Policy Pros Can Help

Policy Pros writes remote access policies that are technically robust, legally compliant and practical to implement. We align our policies with UK GDPR Article 32, the NCSC Cyber Essentials scheme, the NIS Regulations 2018 and ISO 27001, ensuring that your organisation meets both regulatory requirements and industry best practice.

We also write complementary policies including IT security policies, BYOD policies, acceptable use policies and incident response procedures. Whether you need a single remote access policy or a complete information security policy suite, our team is here to support you.

For more information and a quote, please get in touch.

Get a QuoteView All Services
Trustpilot Reviews - 5 Stars