- See ISO 27002:2022 Control 8.1 for more information.
- See ISO 27001:2013 Annex A 6.2.1 for more information.
- See ISO 27001:2013 Annex A 11.2.8 for more information.
Protecting Endpoint Devices: A Guide to ISO 27001 Annex A 8.1
The transition to remote working and the increased reliance on mobile devices have been advantageous for employee productivity and cost-saving for organisations. Unfortunately, user endpoints like laptops, mobile phones and tablets are susceptible to cyber threats. Cyber criminals often leverage these devices to gain illicit access to corporate networks and compromise confidential information.
Cyber criminals may seek to target employees with phishing, persuading them to download a malware-infected attachment, which can be used to spread the malware throughout the corporate network. This can lead to the loss of availability, integrity, or confidentiality of information assets.
A survey of 700 IT professionals revealed that 70% of organisations experienced a breach in their information assets and IT infrastructure due to a user device attack in 2020.
ISO 27001:2022 Annex A Control 8.1 outlines steps organisations can take to ensure their information assets hosted or processed on user endpoint devices are protected from compromise, loss or theft. This includes establishing, maintaining, and implementing relevant policies, procedures and technology measures.
Purpose of ISO 27001:2022 Annex A 8.1
ISO 27001:2022 Annex A 8.1 allows companies to guard and uphold the security, confidentiality, integrity, and availability of information assets stored on or accessible from endpoint user devices. This is achieved by establishing suitable policies, procedures, and controls.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Annex A 8.1
The Chief Information Security Officer should take responsibility for ensuring compliance with the demands of ISO 27001:2022 Annex A Control 8.1, which necessitate the creation and maintenance of organisation-wide policy, procedures and technical measures.
General Guidance on ISO 27001:2022 Annex A 8.1 Compliance
Organisations must, per ISO 27001:2022 Annex Al 8.1, create a policy that covers the secure configuration and use of user endpoint devices.
Personnel must be made aware of this policy, which encompasses:
- What kind of data, especially in terms of security level, can be processed, saved, or utilised in user endpoints?
- Devices must be registered.
- Physical protection of devices is mandatory.
- It is forbidden to install software programs on devices.
- Rules for installing software on devices and updating software must be followed.
- The rules governing the connection of user endpoint devices to the public network or to networks located off-site.
- Access controls.
- The storage media hosting information assets must be encrypted.
- Devices shall be safeguarded against malware intrusions.
- Devices can be disabled or barred from use, and data stored in them can be deleted remotely.
- Back-up plans and protocols should be in place.
- Rules regarding the use of web applications and services.
- Analysing end-user behaviour to gain insights into how they interact with the system.
- Removable storage media, such as USB drives, can be employed to great effect. Moreover, physical ports, e.g., USB ports, can be disabled.
- Segregation capabilities can be utilised to keep the organisation’s information assets distinct from other assets saved on the user device.
Organisations should think about banning the storage of delicate data on user end-point devices via technical controls, according to the General Guidance.
Disablement of local storage functions such as SD cards may be among the technical controls employed.
Organisations should implement Configuration Management as outlined in ISO 27001:2022 Annex A Control 8.9 and utilise automated tools.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Supplementary Guidance on User Responsibility
Staff should be informed of the security measures for user endpoint devices and their duties to comply with them. Additionally, they should understand their role in implementing these measures and procedures.
Organisations should direct personnel to observe the following regulations and processes:
- Once a service is no longer needed or a session has finished, users should log out and terminate the service.
- Personnel should not leave their devices unsupervised. When not in use, staff should ensure the security of their devices by utilising physical measures such as key locks and technical measures like strong passwords.
- Staff should exercise extra caution when using end-point devices that contain confidential data in public places that lack security.
- User endpoint devices must be safeguarded against theft, particularly in hazardous places such as hotel rooms, meeting rooms or public transit.
Organisations should devise a special system for managing the loss or theft of user endpoint devices. This system must be constructed considering legal, contractual and security needs.
Supplementary Guidance on Use of Personal Devices (BYOD)
Permitting personnel to use their own devices for work-related activities can save organisations money, however, it exposes confidential data to potential risks.
ISO 27001:2022 Annex A 8.1 suggests five things for organisations to take into account when permitting staff to use their personal devices for work-related activities:
- Technical measures such as software tools should be put in place to separate personal and business use of devices, safeguarding the organisation’s information.
- Personnel can have access to their own device on condition that they consent to the following:
- Staff acknowledge their duty to physically safeguard devices and fulfil essential software updates.
- Personnel agree not to assert any rights of ownership over the company’s data.
- Personnel concur that the data in the device can be wiped remotely if it is lost or stolen, in accordance with legal guidelines for personal info.
- Set up guidelines regarding rights to intellectual property generated using user endpoint gadgets.
- Regarding the statutory restrictions on such access, how personnel’s private devices will be accessed.
- Permitting staff to employ their individual gadgets can bring about legal responsibility caused by the application of third-party software on these gadgets. Companies should reflect on the software licensing agreements they possess with their providers.
Supplementary Guidance on Wireless Connections
Organisations should create and sustain practices for:
- Configuring the wireless connections on the devices should be done with care. Ensure each connection is secure and reliable.
- Wireless or wired connections, with bandwidth to comply with topic-specific policies, must be used.
Additional Guidance on Annex A 8.1
When employees take their endpoint devices out of the organisation, the data stored on them could be at greater risk of being compromised. Consequently, organisations must implement different safeguards for devices used outside of their premises.
ISO 27001:2022 Annex A 8.1 warns organisations of two risks associated with wireless connections that could lead to loss of data:
- Wireless connections with limited capacity can lead to the breakdown of data backup.
- User endpoints may sometimes lose connection to the wireless network and scheduled backups can falter. To ensure data security and reliability, regular backups should be done and connection to the wireless network should be regularly monitored.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 8.1 replaces ISO 27001:2013 Annex A 6.2.1 and Annex A 12.2.8 in the revised 2022 standard.
Structural Differences
By contrast to ISO 27001:2022 which has a single control covering user endpoint devices (8.1), ISO 27001:2013 featured two separate controls: Mobile Device Policy (Annex A, Control 6.2.1) and Unattended User Equipment (Control 11.2.8).
Whereas ISO 27001:2022 Annex A Control 8.1 covers all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only addressed mobile devices.
ISO 27001:2022 Prescribes Additional Requirements for User Responsibility
Both Versions of the agreement demand a certain level of personal accountability from users; however, the 2022 Version has an extra requirement:
- Personnel should exercise extra caution when utilising endpoint devices containing sensitive data in public spaces which may be insecure.
ISO 27001:2022 Is More Comprehensive in Terms of BYOD
Compared to 2013, Annex A 8.1 in 2022 introduces three new requirements for BYOD (Bring Your Own Device) usage by personnel:
- Establishing policies concerning the intellectual property rights of creations made using user endpoint devices is necessary. Such policies must be accurate and clear, ensuring that all relevant parties recognise their rights and responsibilities.
- Considering the legal limits on accessing personnel’s private devices, how will this be managed?
- Permitting personnel to use their own devices can result in legal responsibility due to the utilisation of third-party software on these devices. Organisations should give thought to the software licensing agreements they hold with their vendors.
ISO 27001:2022 Requires a More Detailed Topic-Specific Policy
In comparison to ISO 27001:2013, organisations must now implement a policy specific to each topic on user devices.
ISO 27001:2022 Annex A 8.1 is more comprehensive, containing three new elements to be included:
- Analysis of end-user behaviour was undertaken.
- USB drives are a great way to transfer data, and physical USB ports can be disabled to prevent such transfers.
- Segregation of the organisation’s information assets can be achieved by taking advantage of technological capabilities. This enables the assets to be separated from other assets stored on the user device.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.online Help
ISMS.online is the go-to ISO 27001:2022 management system software. It facilitates compliance with the standard, and assists organisations in aligning their security policies and procedures.
This cloud-based platform offers a full range of tools to help businesses create an ISMS (Information Security Management System) that adheres to ISO 27001.
Contact us now to arrange a demonstration.
