ISO 27001:2022 Annex A Control 8.1

General Guidance on ISO 27001:2022 Annex A 8.1 Compliance

Organisations must, per ISO 27001:2022 Annex Al 8.1, create a policy that covers the secure configuration and use of user endpoint devices.

Personnel must be made aware of this policy, which encompasses:

• What kind of data, especially in terms of security level, can be processed, saved, or utilised in user endpoints?
• Devices must be registered.
• Physical protection of devices is mandatory.
• It is forbidden to install software programs on devices.
• Rules for installing software on devices and updating software must be followed.
• The rules governing the connection of user endpoint devices to the public network or to networks located off-site.
• Access controls.
• The storage media hosting information assets must be encrypted.
• Devices shall be safeguarded against malware intrusions.
• Devices can be disabled or barred from use, and data stored in them can be deleted remotely.
• Back-up plans and protocols should be in place.
• Rules regarding the use of web applications and services.
• Analysing end-user behaviour to gain insights into how they interact with the system.
• Removable storage media, such as USB drives, can be employed to great effect. Moreover, physical ports, e.g., USB ports, can be disabled.
• Segregation capabilities can be utilised to keep the organisation’s information assets distinct from other assets saved on the user device.

Organisations should think about banning the storage of delicate data on user end-point devices via technical controls, according to the General Guidance.

Disablement of local storage functions such as SD cards may be among the technical controls employed.

Organisations should implement Configuration Management as outlined in ISO 27001:2022 Annex A Control 8.9 and utilise automated tools.

Supplementary Guidance on User Responsibility

Staff should be informed of the security measures for user endpoint devices and their duties to comply with them. Additionally, they should understand their role in implementing these measures and procedures.

Organisations should direct personnel to observe the following regulations and processes:

• Once a service is no longer needed or a session has finished, users should log out and terminate the service.
• Personnel should not leave their devices unsupervised. When not in use, staff should ensure the security of their devices by utilising physical measures such as key locks and technical measures like strong passwords.
• Staff should exercise extra caution when using end-point devices that contain confidential data in public places that lack security.
• User endpoint devices must be safeguarded against theft, particularly in hazardous places such as hotel rooms, meeting rooms or public transit.

Organisations should devise a special system for managing the loss or theft of user endpoint devices. This system must be constructed considering legal, contractual and security needs.

Supplementary Guidance on Use of Personal Devices (BYOD)

Permitting personnel to use their own devices for work-related activities can save organisations money, however, it exposes confidential data to potential risks.

ISO 27001:2022 Annex A 8.1 suggests five things for organisations to take into account when permitting staff to use their personal devices for work-related activities:

1. Technical measures such as software tools should be put in place to separate personal and business use of devices, safeguarding the organisation’s information.
2. Personnel can have access to their own device on condition that they consent to the following:
• Staff acknowledge their duty to physically safeguard devices and fulfil essential software updates.
• Personnel agree not to assert any rights of ownership over the company’s data.
• Personnel concur that the data in the device can be wiped remotely if it is lost or stolen, in accordance with legal guidelines for personal info.
3. Set up guidelines regarding rights to intellectual property generated using user endpoint gadgets.
4. Regarding the statutory restrictions on such access, how personnel’s private devices will be accessed.
5. Permitting staff to employ their individual gadgets can bring about legal responsibility caused by the application of third-party software on these gadgets. Companies should reflect on the software licensing agreements they possess with their providers.

Supplementary Guidance on Wireless Connections

Organisations should create and sustain practices for:

• Configuring the wireless connections on the devices should be done with care. Ensure each connection is secure and reliable.
• Wireless or wired connections, with bandwidth to comply with topic-specific policies, must be used.

Additional Guidance on Annex A 8.1

When employees take their endpoint devices out of the organisation, the data stored on them could be at greater risk of being compromised. Consequently, organisations must implement different safeguards for devices used outside of their premises.

ISO 27001:2022 Annex A 8.1 warns organisations of two risks associated with wireless connections that could lead to loss of data:

1. Wireless connections with limited capacity can lead to the breakdown of data backup.
2. User endpoints may sometimes lose connection to the wireless network and scheduled backups can falter. To ensure data security and reliability, regular backups should be done and connection to the wireless network should be regularly monitored.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.1 replaces ISO 27001:2013 Annex A 6.2.1 and Annex A 12.2.8 in the revised 2022 standard.

Structural Differences

By contrast to ISO 27001:2022 which has a single control covering user endpoint devices (8.1), ISO 27001:2013 featured two separate controls: Mobile Device Policy (Annex A, Control 6.2.1) and Unattended User Equipment (Control 11.2.8).

Whereas ISO 27001:2022 Annex A Control 8.1 covers all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only addressed mobile devices.

ISO 27001:2022 Prescribes Additional Requirements for User Responsibility

Both Versions of the agreement demand a certain level of personal accountability from users; however, the 2022 Version has an extra requirement:

• Personnel should exercise extra caution when utilising endpoint devices containing sensitive data in public spaces which may be insecure.

ISO 27001:2022 Is More Comprehensive in Terms of BYOD

Compared to 2013, Annex A 8.1 in 2022 introduces three new requirements for BYOD (Bring Your Own Device) usage by personnel:

1. Establishing policies concerning the intellectual property rights of creations made using user endpoint devices is necessary. Such policies must be accurate and clear, ensuring that all relevant parties recognise their rights and responsibilities.
2. Considering the legal limits on accessing personnel’s private devices, how will this be managed?
3. Permitting personnel to use their own devices can result in legal responsibility due to the utilisation of third-party software on these devices. Organisations should give thought to the software licensing agreements they hold with their vendors.

ISO 27001:2022 Requires a More Detailed Topic-Specific Policy

In comparison to ISO 27001:2013, organisations must now implement a policy specific to each topic on user devices.

ISO 27001:2022 Annex A 8.1 is more comprehensive, containing three new elements to be included:

1. Analysis of end-user behaviour was undertaken.
2. USB drives are a great way to transfer data, and physical USB ports can be disabled to prevent such transfers.
3. Segregation of the organisation’s information assets can be achieved by taking advantage of technological capabilities. This enables the assets to be separated from other assets stored on the user device.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.online is the go-to ISO 27001:2022 management system software. It facilitates compliance with the standard, and assists organisations in aligning their security policies and procedures.

This cloud-based platform offers a full range of tools to help businesses create an ISMS (Information Security Management System) that adheres to ISO 27001.

Contact us now to arrange a demonstration.