ISO 27002:2022, Control 8.1 – User Endpoint Devices

ISO 27002:2022 Revised Controls

Book a demo

woman,using,laptop,indoor.close up,hand

While the shift to remote work and growing use of mobile devices boost employee productivity and save organisations money, user endpoint devices such as laptops, mobile phones, and tablets are vulnerable to cyber threats. This is because cyber criminals often exploit these devices to gain unauthorised access to corporate networks and compromise information assets.

For example, cyber criminals may target employees with a phishing attack, persuade employees to download a malware attachment, and then use this malware-infected user endpoint device to spread the malware across the entire corporate network. This attack can result in the loss of availability, integrity, or confidentiality of information assets.

According to a survey conducted with 700 IT professionals, around 70% of organisations experienced compromise of information assets and of IT infrastructure as a result of an endpoint user device-related attack in 2020.

Control 8.1 addresses how organisations can establish, maintain and implement topic-specific policy, procedures, and technical measures to ensure that information assets hosted or processed on user endpoint devices are not compromised, lost or stolen.

Purpose of Control 8.1

Control 8.1 enables organisations to protect and maintain the security, confidentiality, integrity, and availability of information assets housed on or accessible via endpoint user devices by putting in place suitable policies, procedures and controls.

Attributes Table

Control 8.1 is preventive in nature. It requires organisations to implement policies, procedures, and technical measures that apply to all user endpoint devices which host or process information assets so that they are not compromised, lost, or stolen.

Control Type Information Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive #Confidentiality
#Integrity
#Availability
#Protect #Asset Management
#Information Protection
#Protection
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Ownership of Control 8.1

Considering that compliance with Control 8.1 entails creation, maintenance of and adherence to organisation-wide topic-specific policy, procedures and technical measures, the chief information security officer should bear responsibility for compliance with the requirements of Control 8.1.

General Guidance on Compliance

Control 8.1 requires organisations to create a topic-specific policy that addresses how user endpoint devices should be configured securely and how these devices should be handled by users.

All personnel should be informed about this Policy and the Policy should cover the following:

  • What type of information, particularly on what level of classification, can be processed, stored or used in user endpoint devices.
  • How the devices should be registered.
  • Requirements for the physical protection of devices.
  • Restrictions on the installation of software programmes on devices.
  • Rules on the instalment of software on the devices and on software updates.
  • Rules on how the user endpoint devices can be connected to public networks or to networks on other off-site premises.
  • Access controls.
  • Encryption of the storage media hosting information assets.
  • How devices will be protected against malware attacks.
  • How devices can be disabled or locked out. How information contained in the devices can be wiped off remotely.
  • Back-up methods and procedures.
  • Rules on the use of web applications and services.
  • Analysis of end-user behaviour.
  • How removable storage media such as USB drives can be used and how physical ports such as USB ports can be disabled.
  • How segregation capabilities can be used to separate the organisation’s information assets from other assets stored on the user device.

Furthermore, the General Guidance notes that organisations should consider prohibiting the storage of sensitive information assets on user endpoint devices by implementing technical controls.

These technical controls may include disabling local storage functions such as SD cards.

In putting these recommendations into practice, organisations should resort to Configuration Management as set out in the Control 8.9 and use automated tools.

Supplementary Guidance on User Responsibility

All personnel should be informed about the security measures for user endpoint devices and procedures they should adhere to. Furthermore, they should be made aware of their responsibilities for applying these measures and procedures.

Organisations should instruct personnel to comply with the following rules and procedures:

  • When a service is no longer required or when a session ends, users should log out of session and terminate services.
  • Personnel should not leave their devices unattended. When devices are not in use, personnel should maintain the security of the devices against unauthorised access or use by applying physical controls such as key locks and by technical controls such as robust passwords.
  • Personnel should act with extra care when they use endpoint devices containing sensitive information in insecure public areas.
  • User endpoint devices should be protected against theft, particularly in risky areas such as hotel rooms, conference rooms or public transport.

Furthermore, organisations are also advised to establish a special procedure for the loss or theft of user endpoint devices. This procedure should be created taking into account legal, contractual and security requirements.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Supplementary Guidance on Use of Personal Devices (BYOD)

While allowing personnel to use their own personal devices for work-related purposes saves organisations money, it exposes sensitive information assets to new risks.

Control 8.1 lists five recommendations that organisations should consider when allowing employees to use their own devices for work-related tasks:

  1. There should be technical measures such as software tools in place to separate the personal and business use of the devices so that the organisation’s information is protected.
  2. Personnel should be allowed to use their own device only after they agree to the following:
    • Personnel acknowledge their duties to physically protect devices and to carry out necessary software updates.
    • Personnel agree to not claim any ownership of the organisation’s information assets.
    • Personnel agree that information contained in the device can be remotely deleted when the device is lost or stolen, subject to legal requirements for personal data.
  3. Establishment of policies on the ownership of intellectual property rights created via the use of user endpoint devices.
  4. How the private devices of personnel will be accessed considering the statutory restrictions on such access.
  5. Allowing personnel to use their private devices can lead to legal liability due to the use of third party software on these devices. Organisations should consider the software licensing agreements they have with their vendors.

Supplementary Guidance on Wireless Connections

Organisations should develop and maintain procedures for:

Additional Guidance on Control 8.1

When user endpoint devices are taken out of the organisation’s premises, information assets may be exposed to heightened risks of compromise. Therefore, organisations may have to establish different controls for devices used outside of premises.

Furthermore, Control 8.1 cautions organisations against loss of information due to two risks related to wireless connections:

  • Wireless connections with low bandwidth may result in failure of data back-up.
  • User endpoint devices may occasionally get disconnected from the wireless network and scheduled back-ups may fail.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Changes and Differences from ISO 27002:2013

27002:2022/8.1 replaces 27002:2013/(6.2.1 and 12.2.8)

Structural Differences

In contrast to the 2022 version which addresses user endpoint devices under one Control(8.1), the 2013 Version included two separate controls: Mobile Device Policy in Control 6.2.1 and Unattended User Equipment in Control 11.2.8.

Furthermore, whereas the Control 8.1 in the 2022 Version applies to all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only referred to the mobile devices.

2022 Version Prescribes Additional Requirements for User Responsibility

While both Versions are largely similar in terms of the requirements for user responsibility, the 2022 Version contains one additional requirement:

  • Personnel should act with extra care when they use endpoint devices containing sensitive information in insecure public areas.

2022 Version Is More Comprehensive in Terms of BYOD

Compared to the 2013 Version, control 8.1 in the 2022 Version introduces three new requirements for the use of personnel’s private devices (BYOD):

  • Establishment of policies on the ownership of intellectual property rights created via the use of user endpoint devices.
  • How the private devices of personnel will be accessed considering the statutory restrictions on such access.
  • Allowing personnel to use their private devices can lead to legal liability due to the use of third party software on these devices. Organisations should consider the software licensing agreements they have with their vendors.

2022 Version Requires a More Detailed Topic-Specific Policy

Similar to the 2013 Version, the 2022 Version also requires organisations to adopt a topic-specific policy on user endpoint devices.

However, the control 8.1 in the 2022 version is more comprehensive as it contains three new elements that needs to be included:

  1. Analysis of end user behaviour.
  2. How removable devices such as USB drives can be used and how physical ports such as USB ports can be disabled.
  3. How segregation capabilities can be used to separate the organisation’s information assets from other assets stored on the user device.

How ISMS.online Helps

ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.

The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.

Get in touch today to book a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now