ISO 27001 Annex A 8.1 is about User End Point Device Security. This rule says that an organisation must create and follow rules to control devices you use to connect to your systems and data.
Table of contents
What is User End Point Device Security?
Endpoint devices are the equipment you use to do your job, and you must protect them. This security rule is about keeping these devices safe. It also helps to keep the data they handle, save, or send secure.
This rule matters a lot because endpoint devices are often hard to control since you are very mobile. In today’s mobile work environment, it is tough to know where you will use the device. This makes it hard to predict the risks you need to fix.
Examples of endpoint devices include
- Desktop computers
- Laptops
- Smartphones
- Tablets
- Other connected devices used to access company systems, such as POS terminals or IoT devices.
What is ISO 27001 Annex A 8.1?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “User Endpoint Device Security”.
What is the ISO 27001 Annex A 8.1 control objective?
The formal definition and control objective in the standard is: “Information stored on, processed by or accessible via user endpoint devices should be protected.“
What is the purpose of ISO 27001 Annex A 8.1?
The purpose of ISO 27001 Annex A 8.1 is “To protect information against the risks introduced by using user endpoint devices“
Is ISO 27001 Annex A 8.1 Mandatory?
ISO 27001 Annex A control 8.1 (User Endpoint Device Security in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.1 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
1. Set Up an Endpoint Device Security Policy
You must start by writing a specific policy. This document clearly states what you expect your staff to do. A policy about securely setting up and using devices is your first step.
2. Know What Devices You Have
You need excellent asset management procedures so you always know which devices you own and what needs protection. A common mistake is not knowing what devices are connected to your network. You fix this with strong asset management, as mentioned in ISO 27001 Annex A 5.9 (Inventory of information and other associated assets).
3. Use Essential Security Tools for Devices
Today, you need a very strong reason to avoid installing basic tools like encryption and anti-malware software. These tools are your first defence line.
You should also think about adding device management solutions. These give you more control over what the device can and cannot do. If you can remotely lock or wipe a device, you should think about doing this, too.
Examples of useful technical tools include:
- Encryption: Encrypt the hard drives and data on user devices. This helps if a device is lost or stolen.
- Antivirus and Anti-Malware: You must install and keep up-to-date antivirus software on all relevant devices.
- Configuration Management: Use secure starting setups, like those from CIS Benchmarks, to protect computers.
- Data Loss Prevention (DLP): Use tools to manage the use of USB drives and stop important data from leaving your company.
- Endpoint Device Management (EDM): You should deploy tools to make sure security rules are followed. These tools also allow you to manage devices from afar and can remotely wipe lost or stolen devices.
4. Review Your Backup Needs
Backups can be hard to manage. Usually, you will not need a formal way to back up every user device, unless the business requires it. However, you must consider what happens if people do their own personal backups. Where are these copies stored, and how secure are they? This can become complicated. For more details, read ISO 27001 Annex A 8.13 (Information Backup).
5. Teach Your Staff About Security
A large part of this rule focuses on the user’s role, and that is right. You place a lot of trust in the people who use these devices. Your job is to set clear rules, give advice, share information, and train your staff. You must tell people not to do careless things like leaving devices alone in public, or worse, leaving them logged in. They must be protected from theft and logged out when not in use. You can find more details on education and training in ISO 27001 Annex A 6.3 (Information Security Awareness Education and Training).
6. Manage Risks from Personal Devices (BYOD)
People in smaller companies often prefer using their own devices. This is not perfect, but you can overcome it. You must consider the technical tools you can use to reduce risk. For example, using VPN access or a remote terminal access system can work. You would also be expected to check, either manually or automatically, that these devices have basic malware protection, are encrypted, and have the latest updates. The main problem here is that laws often make it hard to manage personal devices. For example, you likely cannot remotely wipe a personal phone or look at its contents. It is easier to allow personal devices than to manage them safely. The best plan is usually to spend the money and give people a work device they can use.
7. Change Asset Tags
In the past, people put physical tags on devices to track them. The modern idea is that you should take these off or replace them with non-obvious, unique tags. You do this so the asset does not become a target. For example, labelling a laptop with your company name or the word “confidential” can make it attractive to thieves.
8. Use Physical Security Measures
When managing endpoint devices, you must also think about ISO 27001 Annex A 7.5 (Protecting Against Physical and Environmental Threats). Even if you have no office, some physical security steps are needed. You need to train users not to leave devices alone in public and to use items like:
- Screen protectors
- Automatic device locking after a short time
- Physical locks when needed
- Lockable storage at home
- Shredders for home use
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. That you have an asset register
The auditor will check that you have a list of assets and a way to manage them. They will want to see all your end-user devices in this register and that you have assigned them to specific people. They will also look for personal devices, like bring your own devices (BYOD), that connect to or use the services that are part of your security scope.
2. That devices are protected and checked
The auditor will check that the proper security rules are on the end-user device. The common rules they look for are antivirus and encryption. You should start with your Statement of Applicability (SOA) and the rules you said were in scope. They want to see proof that you check these rules often. If a check fails, they will want to see what you did to fix it, with proof of an example. This ties into ISO 27001 Annex A Control 5.9, which covers your list of assets.
A great side note here is that they will also check that you make sure devices used by auditors or testers are secure to your standards before allowing them to connect. This rule is part of ISO 27001 Annex A 8.34, which is about protecting your systems during audit testing.
3. Anyone they audit
The auditor will probably check anyone they audit. Their usual way of working is to ask the person to share their screen. Then, they will tell you to show the technical rules you have in place. They might say, “Show me that your antivirus is running,” for example. They do not usually look at your desktop or trash bin for things that shouldn’t be there. Before the audit, you should ask everyone being audited to clean up their computer, assuming they will be asked to share their screen. You can say no, based on privacy, but the auditor needs to see a few sample devices. If you refuse, they will just ask someone else.
