What does control A.3.22 require?
PII stored on, processed by or accessible via user endpoint devices shall be protected.
This control sits within the Shared security controls annex (A.3) and addresses one of the most significant risk areas in modern PII processing: endpoint devices. Laptops, smartphones, tablets and other portable devices create a large and distributed attack surface. They can be lost or stolen, used on insecure networks, shared with unauthorised individuals or compromised by malware. A.3.22 requires organisations to implement controls that protect PII regardless of where and how endpoint devices are used.
What does the Annex B implementation guidance say?
Annex B (section B.3.22) provides the following guidance:
- Prevent mobile device compromise — The organisation should ensure that the use of mobile devices does not lead to a compromise of PII
- See also A.3.24: Information Backup for related requirements
- See also A.3.25: Logging for related requirements
While the implementation guidance is concise, the scope of the control is broad. Protecting PII on endpoint devices requires a combination of technical controls (encryption, remote wipe, screen lock), policy controls (acceptable use, BYOD rules) and awareness measures (training staff on secure device use). The control applies to all three scenarios: PII stored locally on the device, PII actively being processed by the device and PII accessible remotely via the device.
How does this map to GDPR?
Control A.3.22 maps to the following GDPR article:
- Article 5(1)(f) — The integrity and confidentiality principle, requiring appropriate security of personal data including protection against unauthorised or unlawful processing and against accidental loss
Lost or stolen devices are one of the most commonly reported breach types under GDPR. Implementing robust endpoint protection is a practical and demonstrable way to satisfy Article 5(1)(f).
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.8.2.8 (unattended user equipment). The 2025 edition consolidates these into A.3.22, broadening the scope from mobile devices specifically to all user endpoint devices. This reflects the reality that the distinction between mobile and fixed endpoints has become less meaningful. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.3.22, auditors will typically look for:
- Endpoint security policy — A documented policy covering acceptable use, encryption requirements, screen lock settings, patch management and remote wipe capabilities for all device types
- Mobile device management (MDM) — Evidence that a centralised MDM or endpoint management solution is deployed, with configuration profiles enforcing security baselines
- Full-disk encryption — Evidence that all endpoints with PII have full-disk encryption enabled (e.g. BitLocker, FileVault or device-native encryption)
- Remote wipe capability — Demonstrated ability to remotely wipe or lock lost or stolen devices
- BYOD controls — If personal devices are permitted for work use, a BYOD policy specifying security requirements, containerisation and the organisation’s right to wipe corporate data
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.19 Clear desk and clear screen | Screen lock requirements on endpoints implement clear screen rules |
| A.3.23 Secure authentication | Authentication controls protect access to PII via endpoint devices |
| A.3.26 Use of cryptography | Encryption of endpoint storage is a key protection measure |
| A.3.20 Storage media | Removable media used with endpoints must follow media management rules |
| A.3.21 Secure disposal or re-use | Endpoint devices must be securely wiped before disposal or reassignment |
Who does this control apply to?
A.3.22 is a shared control that applies to both PII controllers and PII processors. Any organisation whose personnel use endpoint devices to store, process or access PII must implement appropriate protections. This includes organisations with remote workers, field staff, BYOD policies or any scenario where PII can be accessed from outside the corporate network perimeter.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for endpoint device management?
ISMS.online provides practical tools for managing endpoint device security:
- Device register — Maintain a central inventory of all endpoint devices with PII access, linked to owners, security configurations and compliance status
- Policy management — Publish and distribute endpoint security and BYOD policies with acknowledgement tracking and version control
- Risk assessments — Run targeted risk assessments for endpoint-related threats, with pre-built risk scenarios for lost devices, insecure networks and BYOD
- Incident management — Log and manage device loss or theft incidents with built-in workflows for breach assessment and notification
- Compliance dashboards — Monitor endpoint security compliance across your organisation with real-time visibility of policy adherence and outstanding actions
FAQs
Does this control apply to personal devices used for work?
Yes. If personal devices (BYOD) are used to store, process or access PII, they fall within the scope of A.3.22. Organisations should implement a BYOD policy that specifies minimum security requirements such as encryption, passcode complexity, automatic updates and the right to remotely wipe corporate data. Containerisation solutions can help separate personal and corporate data on the same device.
What types of devices are considered endpoint devices?
Endpoint devices include any device used by an individual to access, process or store PII: laptops, desktops, smartphones, tablets, thin clients and wearable devices. The 2025 edition deliberately uses the broader term “user endpoint devices” rather than “mobile devices” to capture all device types, including fixed workstations that may be in shared or unsecured locations.
How should organisations handle lost or stolen devices?
Organisations should have a documented incident response procedure for lost or stolen devices. This should include immediate remote lock and wipe capabilities, assessment of whether PII was at risk (considering encryption status), notification to the data protection team and, where required, notification to the supervisory authority under GDPR Article 33. The device inventory should be updated to reflect the loss, and access credentials used on the device should be revoked.
