While the shift to remote work and growing use of mobile devices boost employee productivity and save organisations money, user endpoint devices such as laptops, mobile phones, and tablets are vulnerable to cyber threats. This is because cyber criminals often exploit these devices to gain unauthorised access to corporate networks and compromise information assets.
For example, cyber criminals may target employees with a phishing attack, persuade employees to download a malware attachment, and then use this malware-infected user endpoint device to spread the malware across the entire corporate network. This attack can result in the loss of availability, integrity, or confidentiality of information assets.
According to a survey conducted with 700 IT professionals, around 70% of organisations experienced compromise of information assets and of IT infrastructure as a result of an endpoint user device-related attack in 2020.
Control 8.1 addresses how organisations can establish, maintain and implement topic-specific policy, procedures, and technical measures to ensure that information assets hosted or processed on user endpoint devices are not compromised, lost or stolen.
Control 8.1 enables organisations to protect and maintain the security, confidentiality, integrity, and availability of information assets housed on or accessible via endpoint user devices by putting in place suitable policies, procedures and controls.
Control 8.1 is preventive in nature. It requires organisations to implement policies, procedures, and technical measures that apply to all user endpoint devices which host or process information assets so that they are not compromised, lost, or stolen.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset Management #Information Protection | #Protection |
Considering that compliance with Control 8.1 entails creation, maintenance of and adherence to organisation-wide topic-specific policy, procedures and technical measures, the chief information security officer should bear responsibility for compliance with the requirements of Control 8.1.
Control 8.1 requires organisations to create a topic-specific policy that addresses how user endpoint devices should be configured securely and how these devices should be handled by users.
All personnel should be informed about this Policy and the Policy should cover the following:
Furthermore, the General Guidance notes that organisations should consider prohibiting the storage of sensitive information assets on user endpoint devices by implementing technical controls.
These technical controls may include disabling local storage functions such as SD cards.
In putting these recommendations into practice, organisations should resort to Configuration Management as set out in the Control 8.9 and use automated tools.
All personnel should be informed about the security measures for user endpoint devices and procedures they should adhere to. Furthermore, they should be made aware of their responsibilities for applying these measures and procedures.
Organisations should instruct personnel to comply with the following rules and procedures:
Furthermore, organisations are also advised to establish a special procedure for the loss or theft of user endpoint devices. This procedure should be created taking into account legal, contractual and security requirements.
While allowing personnel to use their own personal devices for work-related purposes saves organisations money, it exposes sensitive information assets to new risks.
Control 8.1 lists five recommendations that organisations should consider when allowing employees to use their own devices for work-related tasks:
Organisations should develop and maintain procedures for:
When user endpoint devices are taken out of the organisation’s premises, information assets may be exposed to heightened risks of compromise. Therefore, organisations may have to establish different controls for devices used outside of premises.
Furthermore, Control 8.1 cautions organisations against loss of information due to two risks related to wireless connections:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
27002:2022/8.1 replaces 27002:2013/(6.2.1 and 12.2.8)
In contrast to the 2022 version which addresses user endpoint devices under one Control(8.1), the 2013 Version included two separate controls: Mobile Device Policy in Control 6.2.1 and Unattended User Equipment in Control 11.2.8.
Furthermore, whereas the Control 8.1 in the 2022 Version applies to all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only referred to the mobile devices.
While both Versions are largely similar in terms of the requirements for user responsibility, the 2022 Version contains one additional requirement:
Compared to the 2013 Version, control 8.1 in the 2022 Version introduces three new requirements for the use of personnel’s private devices (BYOD):
Similar to the 2013 Version, the 2022 Version also requires organisations to adopt a topic-specific policy on user endpoint devices.
However, the control 8.1 in the 2022 version is more comprehensive as it contains three new elements that needs to be included:
ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.
The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
