This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.8.1 User endpoint devices.
ISO 27001: 2022 Control Description
Information stored on, processed by or accessible via user end point devices shall be protected.
Purpose
To safeguard information from risks associated with the use of user endpoint devices.
Guidance on implementation
The organisation should develop and communicate a specific policy on the secure configuration and handling of user endpoint devices. This policy should address the following areas:
- Information Handling: Define the types of information and classification levels that the user endpoint devices can manage, process, store, or support.
- Device Registration: Ensure that all user endpoint devices are registered.
- Physical Protection: Specify requirements for physically securing user endpoint devices.
- Software Installation: Control software installation (e.g., through remote management by system administrators).
- Software Requirements: Define requirements for device software, including version management and updates (e.g., enabling automatic updates).
- Network Connections: Set rules for connecting to information services, public networks, or any other external networks (e.g., using a personal firewall).
- Access Controls: Implement and enforce access controls on devices.
- Encryption: Require encryption for storage devices.
- Malware Protection: Ensure protection against malware.
- Remote Management: Enable remote disabling, deletion, or locking of devices.
- Backups: Implement regular backups for data on user endpoint devices.
- Behaviour Analytics: Monitor end-user behaviour for anomalies.
- Web Services: Manage the use of web services and web applications.
- Removable Devices: Regulate the use of removable devices, such as USB drives, and consider disabling physical ports if necessary.
- Partitioning: Use partitioning features (if supported) to separate organisational information from other data on the device.
Additional Considerations
Assess whether certain sensitive information should only be accessed through, rather than stored on, user endpoint devices. In such cases, additional safeguards may be needed, such as disabling offline file downloads and local storage like SD cards.
Whenever possible, enforce these guidelines through configuration management or automated tools.
User Responsibility
Users should be informed about security requirements and their responsibilities for protecting user endpoint devices. Advise users to:
- Session Management: Log off active sessions and close services when no longer needed.
- Physical and Logical Protection: Secure devices with physical controls (e.g., key locks) and logical controls (e.g., passwords) when not in use. Avoid leaving devices with sensitive information unattended.
- Public Places: Handle devices with care in public areas, open offices, meeting places, and other unsecured locations. For instance, use privacy screen filters to prevent others from reading confidential information.
- Protection Against Theft: Protect devices against theft in various locations, such as cars, hotels, and conference centres.
Procedure for Theft or Loss
Establish a procedure that takes into account legal, statutory, regulatory, contractual (including insurance), and other security requirements for handling theft or loss of user endpoint devices.
Use of Personal Devices (BYOD)
If the organisation permits the use of personal devices (Bring Your Own Device - BYOD), consider the following in addition to the above guidance:
- Personal and Business Use Separation: Ensure clear separation between personal and business use of devices, using software to support this separation and protect business data.
- User Acknowledgements: Provide access to business information only after users acknowledge their responsibilities (e.g., physical protection, software updates) and agree to terms such as waiving ownership of business data and allowing remote data wiping if the device is stolen or when access is revoked. Ensure compliance with personal information protection legislation.
- Policy and Procedures: Develop policies and procedures to address intellectual property rights concerning work done on personal equipment.