Securing User Endpoint Devices: ISO 27002 Control 8.1 Explained
While the shift to remote work and growing use of mobile devices boost employee productivity and save organisations money, user endpoint devices such as laptops, mobile phones, and tablets are vulnerable to cyber threats. This is because cyber criminals often exploit these devices to gain unauthorised access to corporate networks and compromise information assets.
For example, cyber criminals may target employees with a phishing attack, persuade employees to download a malware attachment, and then use this malware-infected user endpoint device to spread the malware across the entire corporate network. This attack can result in the loss of availability, integrity, or confidentiality of information assets.
According to a survey conducted with 700 IT professionals, around 70% of organisations experienced compromise of information assets and of IT infrastructure as a result of an endpoint user device-related attack in 2020.
Control 8.1 addresses how organisations can establish, maintain and implement topic-specific policy, procedures, and technical measures to ensure that information assets hosted or processed on user endpoint devices are not compromised, lost or stolen.
Purpose of Control 8.1
Control 8.1 enables organisations to protect and maintain the security, confidentiality, integrity, and availability of information assets housed on or accessible via endpoint user devices by putting in place suitable policies, procedures and controls.
Attributes Table of Control 8.1
Control 8.1 is preventive in nature. It requires organisations to implement policies, procedures, and technical measures that apply to all user endpoint devices which host or process information assets so that they are not compromised, lost, or stolen.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Asset Management | #Protection |
| #Integrity | #Information Protection | |||
| #Availability |
Get an 81% headstart
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
Ownership of Control 8.1
Considering that compliance with Control 8.1 entails creation, maintenance of and adherence to organisation-wide topic-specific policy, procedures and technical measures, the chief information security officer should bear responsibility for compliance with the requirements of Control 8.1.
General Guidance on Compliance
Control 8.1 requires organisations to create a topic-specific policy that addresses how user endpoint devices should be configured securely and how these devices should be handled by users.
All personnel should be informed about this Policy and the Policy should cover the following:
- What type of information, particularly on what level of classification, can be processed, stored or used in user endpoint devices.
- How the devices should be registered.
- Requirements for the physical protection of devices.
- Restrictions on the installation of software programmes on devices.
- Rules on the instalment of software on the devices and on software updates.
- Rules on how the user endpoint devices can be connected to public networks or to networks on other off-site premises.
- Access controls.
- Encryption of the storage media hosting information assets.
- How devices will be protected against malware attacks.
- How devices can be disabled or locked out. How information contained in the devices can be wiped off remotely.
- Back-up methods and procedures.
- Rules on the use of web applications and services.
- Analysis of end-user behaviour.
- How removable storage media such as USB drives can be used and how physical ports such as USB ports can be disabled.
- How segregation capabilities can be used to separate the organisation’s information assets from other assets stored on the user device.
Furthermore, the General Guidance notes that organisations should consider prohibiting the storage of sensitive information assets on user endpoint devices by implementing technical controls.
These technical controls may include disabling local storage functions such as SD cards.
In putting these recommendations into practice, organisations should resort to Configuration Management as set out in the Control 8.9 and use automated tools.
Supplementary Guidance on User Responsibility
All personnel should be informed about the security measures for user endpoint devices and procedures they should adhere to. Furthermore, they should be made aware of their responsibilities for applying these measures and procedures.
Organisations should instruct personnel to comply with the following rules and procedures:
- When a service is no longer required or when a session ends, users should log out of session and terminate services.
- Personnel should not leave their devices unattended. When devices are not in use, personnel should maintain the security of the devices against unauthorised access or use by applying physical controls such as key locks and by technical controls such as robust passwords.
- Personnel should act with extra care when they use endpoint devices containing sensitive information in insecure public areas.
- User endpoint devices should be protected against theft, particularly in risky areas such as hotel rooms, conference rooms or public transport.
Furthermore, organisations are also advised to establish a special procedure for the loss or theft of user endpoint devices. This procedure should be created taking into account legal, contractual and security requirements.
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
Supplementary Guidance on Use of Personal Devices (BYOD)
While allowing personnel to use their own personal devices for work-related purposes saves organisations money, it exposes sensitive information assets to new risks.
Control 8.1 lists five recommendations that organisations should consider when allowing employees to use their own devices for work-related tasks:
- There should be technical measures such as software tools in place to separate the personal and business use of the devices so that the organisation’s information is protected.
- Personnel should be allowed to use their own device only after they agree to the following:
- Personnel acknowledge their duties to physically protect devices and to carry out necessary software updates.
- Personnel agree to not claim any ownership of the organisation’s information assets.
- Personnel agree that information contained in the device can be remotely deleted when the device is lost or stolen, subject to legal requirements for personal data.
- Establishment of policies on the ownership of intellectual property rights created via the use of user endpoint devices.
- How the private devices of personnel will be accessed considering the statutory restrictions on such access.
- Allowing personnel to use their private devices can lead to legal liability due to the use of third party software on these devices. Organisations should consider the software licensing agreements they have with their vendors.
Supplementary Guidance on Wireless Connections
Organisations should develop and maintain procedures for:
- How wireless connections on the devices should be configured.
- How wireless or wired connections with sufficient bandwidth will be used in compliance with topic-specific policies.
Additional Guidance on Control 8.1
When user endpoint devices are taken out of the organisation’s premises, information assets may be exposed to heightened risks of compromise. Therefore, organisations may have to establish different controls for devices used outside of premises.
Furthermore, Control 8.1 cautions organisations against loss of information due to two risks related to wireless connections:
- Wireless connections with low bandwidth may result in failure of data back-up.
- User endpoint devices may occasionally get disconnected from the wireless network and scheduled back-ups may fail.
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022/8.1 replaces 27002:2013/(6.2.1 and 12.2.8)
Structural Differences
In contrast to the 2022 version which addresses user endpoint devices under one Control(8.1), the 2013 Version included two separate controls: Mobile Device Policy in Control 6.2.1 and Unattended User Equipment in Control 11.2.8.
Furthermore, whereas the Control 8.1 in the 2022 Version applies to all user endpoint devices such as laptops, tablets and mobile phones, the 2013 Version only referred to the mobile devices.
2022 Version Prescribes Additional Requirements for User Responsibility
While both Versions are largely similar in terms of the requirements for user responsibility, the 2022 Version contains one additional requirement:
- Personnel should act with extra care when they use endpoint devices containing sensitive information in insecure public areas.
2022 Version Is More Comprehensive in Terms of BYOD
Compared to the 2013 Version, control 8.1 in the 2022 Version introduces three new requirements for the use of personnel’s private devices (BYOD):
- Establishment of policies on the ownership of intellectual property rights created via the use of user endpoint devices.
- How the private devices of personnel will be accessed considering the statutory restrictions on such access.
- Allowing personnel to use their private devices can lead to legal liability due to the use of third party software on these devices. Organisations should consider the software licensing agreements they have with their vendors.
2022 Version Requires a More Detailed Topic-Specific Policy
Similar to the 2013 Version, the 2022 Version also requires organisations to adopt a topic-specific policy on user endpoint devices.
However, the control 8.1 in the 2022 version is more comprehensive as it contains three new elements that needs to be included:
- Analysis of end user behaviour.
- How removable devices such as USB drives can be used and how physical ports such as USB ports can be disabled.
- How segregation capabilities can be used to separate the organisation’s information assets from other assets stored on the user device.
New ISO 27002 Controls
New Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
Organisational Controls
People Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
Physical Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
Technological Controls
How ISMS.online Helps
ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.
The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.
Get in touch today to book a demo.
Jump to topic
