ISO 27001:2022 Annex A Control 8.1

User Endpoint Devices

Book a demo

focused,group,of,diverse,work,colleagues,having,a,meeting,together

The transition to remote working and the increased reliance on mobile devices have been advantageous for employee productivity and cost-saving for organisations. Unfortunately, user endpoints like laptops, mobile phones and tablets are susceptible to cyber threats. Cyber criminals often leverage these devices to gain illicit access to corporate networks and compromise confidential information.

Cyber criminals may seek to target employees with phishing, persuading them to download a malware-infected attachment, which can be used to spread the malware throughout the corporate network. This can lead to the loss of availability, integrity, or confidentiality of information assets.

A survey of 700 IT professionals revealed that 70% of organisations experienced a breach in their information assets and IT infrastructure due to a user device attack in 2020.

ISO 27001:2022 Annex A Control 8.1 outlines steps organisations can take to ensure their information assets hosted or processed on user endpoint devices are protected from compromise, loss or theft. This includes establishing, maintaining, and implementing relevant policies, procedures and technology measures.

Purpose of ISO 27001:2022 Annex A 8.1

ISO 27001:2022 Annex A 8.1 allows companies to guard and uphold the security, confidentiality, integrity, and availability of information assets stored on or accessible from endpoint user devices. This is achieved by establishing suitable policies, procedures, and controls.

Ownership of Annex A 8.1

The Chief Information Security Officer should take responsibility for ensuring compliance with the demands of ISO 27001:2022 Annex A Control 8.1, which necessitate the creation and maintenance of organisation-wide policy, procedures and technical measures.

General Guidance on ISO 27001:2022 Annex A 8.1 Compliance

Organisations must, per ISO 27001:2022 Annex Al 8.1, create a policy that covers the secure configuration and use of user endpoint devices.

Personnel must be made aware of this policy, which encompasses:

  • What kind of data, especially in terms of security level, can be processed, saved, or utilised in user endpoints?
  • Devices must be registered.
  • Physical protection of devices is mandatory.
  • It is forbidden to install software programs on devices.
  • Rules for installing software on devices and updating software must be followed.
  • The rules governing the connection of user endpoint devices to the public network or to networks located off-site.
  • Access controls.
  • The storage media hosting information assets must be encrypted.
  • Devices shall be safeguarded against malware intrusions.
  • Devices can be disabled or barred from use, and data stored in them can be deleted remotely.
  • Back-up plans and protocols should be in place.
  • Rules regarding the use of web applications and services.
  • Analysing end-user behaviour to gain insights into how they interact with the system.
  • Removable storage media, such as USB drives, can be employed to great effect. Moreover, physical ports, e.g., USB ports, can be disabled.
  • Segregation capabilities can be utilised to keep the organisation’s information assets distinct from other assets saved on the user device.

Organisations should think about banning the storage of delicate data on user end-point devices via technical controls, according to the General Guidance.

Disablement of local storage functions such as SD cards may be among the technical controls employed.

Organisations should implement Configuration Management as outlined in ISO 27001:2022 Annex A Control 8.9 and utilise automated tools.

Supplementary Guidance on User Responsibility

Staff should be informed of the security measures for user endpoint devices and their duties to comply with them. Additionally, they should understand their role in implementing these measures and procedures.

Organisations should direct personnel to observe the following regulations and processes:

  • Once a service is no longer needed or a session has finished, users should log out and terminate the service.
  • Personnel should not leave their devices unsupervised. When not in use, staff should ensure the security of their devices by utilising physical measures such as key locks and technical measures like strong passwords.
  • Staff should exercise extra caution when using end-point devices that contain confidential data in public places that lack security.
  • User endpoint devices must be safeguarded against theft, particularly in hazardous places such as hotel rooms, meeting rooms or public transit.

Organisations should devise a special system for managing the loss or theft of user endpoint devices. This system must be constructed considering legal, contractual and security needs.

Supplementary Guidance on Use of Personal Devices (BYOD)

Permitting personnel to use their own devices for work-related activities can save organisations money, however, it exposes confidential data to potential risks.

ISO 27001:2022 Annex A 8.1 suggests five things for organisations to take into account when permitting staff to use their personal devices for work-related activities:

  1. Technical measures such as software tools should be put in place to separate personal and business use of devices, safeguarding the organisation’s information.
  2. Personnel can have access to their own device on condition that they consent to the following:
    • Staff acknowledge their duty to physically safeguard devices and fulfil essential software updates.
    • Personnel agree not to assert any rights of ownership over the company’s data.
    • Personnel concur that the data in the device can be wiped remotely if it is lost or stolen, in accordance with legal guidelines for personal info.

  3. Set up guidelines regarding rights to intellectual property generated using user endpoint gadgets.
  4. Regarding the statutory restrictions on such access, how personnel’s private devices will be accessed.
  5. Permitting staff to employ their individual gadgets can bring about legal responsibility caused by the application of third-party software on these gadgets. Companies should reflect on the software licensing agreements they possess with their providers.

Supplementary Guidance on Wireless Connections

Organisations should create and sustain practices for:

  • Configuring the wireless connections on the devices should be done with care. Ensure each connection is secure and reliable.
  • Wireless or wired connections, with bandwidth to comply with topic-specific policies, must be used.

Additional Guidance on Annex A 8.1

When employees take their endpoint devices out of the organisation, the data stored on them could be at greater risk of being compromised. Consequently, organisations must implement different safeguards for devices used outside of their premises.

ISO 27001:2022 Annex A 8.1 warns organisations of two risks associated with wireless connections that could lead to loss of data:

  1. Wireless connections with limited capacity can lead to the breakdown of data backup.
  2. User endpoints may sometimes lose connection to the wireless network and scheduled backups can falter. To ensure data security and reliability, regular backups should be done and connection to the wireless network should be regularly monitored.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.1 replaces ISO 27001:2013 Annex A 6.2.1 and Annex A 12.2.8 in the revised 2022 standard.

Structural Differences

By contrast to ISO 27001:2022 which has a single control covering user endpoint devices (8.1), ISO 27001:2013 featured two separate controls: Mobile Device Policy (Annex A, Control 6.2.1) and Unattended User Equipment (Control 11.2.8).

Whereas ISO 27001:2022 Annex A Control 8.1 covers all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only addressed mobile devices.

ISO 27001:2022 Prescribes Additional Requirements for User Responsibility

Both Versions of the agreement demand a certain level of personal accountability from users; however, the 2022 Version has an extra requirement:

  • Personnel should exercise extra caution when utilising endpoint devices containing sensitive data in public spaces which may be insecure.

ISO 27001:2022 Is More Comprehensive in Terms of BYOD

Compared to 2013, Annex A 8.1 in 2022 introduces three new requirements for BYOD (Bring Your Own Device) usage by personnel:

  1. Establishing policies concerning the intellectual property rights of creations made using user endpoint devices is necessary. Such policies must be accurate and clear, ensuring that all relevant parties recognise their rights and responsibilities.
  2. Considering the legal limits on accessing personnel’s private devices, how will this be managed?
  3. Permitting personnel to use their own devices can result in legal responsibility due to the utilisation of third-party software on these devices. Organisations should give thought to the software licensing agreements they hold with their vendors.

ISO 27001:2022 Requires a More Detailed Topic-Specific Policy

In comparison to ISO 27001:2013, organisations must now implement a policy specific to each topic on user devices.

ISO 27001:2022 Annex A 8.1 is more comprehensive, containing three new elements to be included:

  1. Analysis of end-user behaviour was undertaken.
  2. USB drives are a great way to transfer data, and physical USB ports can be disabled to prevent such transfers.
  3. Segregation of the organisation’s information assets can be achieved by taking advantage of technological capabilities. This enables the assets to be separated from other assets stored on the user device.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online is the go-to ISO 27001:2022 management system software. It facilitates compliance with the standard, and assists organisations in aligning their security policies and procedures.

This cloud-based platform offers a full range of tools to help businesses create an ISMS (Information Security Management System) that adheres to ISO 27001.

Contact us now to arrange a demonstration.

We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.

Andrew Bud
Founder, iproov

Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.