The transition from ISO 27001:2013 to the 2022 version has brought about several significant shifts in how we think about information security. One of the most important updates is found in the transition from the old Control 6.2.1 (Mobile Device Policy) to the much more expansive Annex A 8.1: User Endpoint Device Security. If you are updating your Statement of Applicability (SoA), this is a control you cannot afford to overlook.
In 2013, the world was just starting to grapple with “work from home” and the early days of smartphones. Fast forward to 2022, and the “perimeter” of the office has essentially disappeared. Annex A 8.1 reflects this reality by broadening the scope from just “mobile devices” to every single endpoint that touches your data.
Table of contents
The Evolution of Scope: Beyond Mobile Devices
In the 2013 standard, the focus was quite narrow. Control 6.2.1 was primarily concerned with mobile devices, phones and tablets that might leave the office. The 2022 update recognizes that today, a desktop in a home office, a virtual machine in the cloud, or even an IoT device in a lobby is an “endpoint.”
Annex A 8.1 now covers all user endpoint devices. This includes laptops, PCs, smartphones, tablets, and any other hardware used by individuals to access your network. According to Hightable.io, this change in terminology from “mobile” to “endpoint” is one of the most critical shifts for organisations to document during their transition audit.
Key Changes and New Requirements
While the previous version focused on having a policy, the 2022 version demands active, technical enforcement. Here are the primary differences you need to be aware of:
- Comprehensive Endpoint Coverage: As mentioned, the scope now includes desktops and fixed equipment, not just portable ones.
- Increased User Responsibility: There is a new, explicit requirement for personnel to act with “extra care” when using devices in public spaces. This means your training needs to cover more than just “don’t lose your phone.”
- BYOD Clarity: The 2022 standard is much more comprehensive regarding “Bring Your Own Device” (BYOD). It explicitly addresses intellectual property (IP) rights for work created on personal devices, a huge legal and security gap in the older version.
- Theme-Based Grouping: Annex A 8.1 is now classified as a Technological Control. In the 2013 version, it sat within the “Organisation of Information Security” domain.
The Role of Attributes in Annex A 8.1
One of the best features of the ISO 27001:2022 update is the introduction of “Attributes.” These help you categorise controls so you can filter your risk treatment plan more effectively. For Annex A 8.1, the attributes are:
| Attribute Type | Value for Annex A 8.1 |
|---|---|
| Control Type | Preventative |
| Information Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Protect |
| Operational Capabilities | Asset Management, Information Protection |
Practical Steps for Compliance
If you are moving your ISMS from the 2013 to the 2022 version, you will need to do more than just update a few numbers in your policy documents. Hightable.io emphasises that auditors will be looking for evidence of active management.
- Update Your Policy: Your “Mobile Device Policy” should be renamed and rewritten as a “User Endpoint Device Security Policy.” It must cover secure configuration, software update rules, and restrictions on connecting to public Wi-Fi.
- Expand the Asset Register: Ensure every endpoint, whether corporate-owned or personal (BYOD) is accounted for in your inventory.
- Technical Enforcement: Use Mobile Device Management (MDM) or Endpoint Detection and Response (EDR) tools. You need to prove you can remotely wipe data if a device is lost or if an employee leaves the company.
- Address IP Rights: If you allow personal devices, your contracts or policies must clearly state who owns the work produced on those devices.
Why the Change Matters
The 2022 version of Annex A 8.1 isn’t just “regulatory red tape.” It is a response to how we actually work today. Most breaches now start at an endpoint, a forgotten laptop in a cafĂ©, a personal phone with a malware-laden app, or an unpatched home PC. By aligning with the 2022 standard, you are building a defensive perimeter that travels with your employees, wherever they happen to be working.
As Hightable.io points out, the shift to 7.14 (Disposal) and 8.1 (Endpoints) creates a full lifecycle of security for your hardware. From the moment a device is assigned to the moment it is securely destroyed, the 2022 standard ensures there are no gaps for data to leak through.
Final Thoughts
Transitioning to ISO 27001:2022 Annex A 8.1 is an opportunity to modernise your security posture. It moves the focus from “where the device is” to “what the device can access.” By implementing robust endpoint controls, you aren’t just passing an audit; you are securing the most vulnerable entries to your network.