How to Implement ISO 27001 Annex A 8.1

Let’s face it, the days of everyone sitting in a secure office behind a castle moat of firewalls are long gone. Today, your “office” is just as likely to be a kitchen table, a coffee shop, or a seat on a train. While this flexibility is great for productivity, it is a nightmare for security.

Every laptop, smartphone, and tablet that connects to your corporate data is a potential entry point for hackers. This is exactly why ISO 27001:2022 Annex A 8.1 exists. It is the control dedicated to securing “User Endpoint Devices.”

If you are scratching your head about how to lock down hundreds of devices without bringing your business to a grinding halt, you are in the right place. Let’s break down how to implement this control practically and painlessly.

What is Annex A 8.1?
Step 1: Write the Rules (The Policy)
Step 2: Know What You Have (Inventory)
Step 3: Harden the Devices
Step 4: Handle BYOD (Bring Your Own Device)
Step 5: Physical Security
Step 6: The “Leaver” Process
What Will the Auditor Look For?
Conclusion

What is Annex A 8.1?

In the 2022 update of the standard, Annex A 8.1 falls under the “Technological Controls” category. It requires that “information stored on, processed by or accessible via user endpoint devices shall be protected.”

Basically, you need to ensure that any device holding your company’s secrets—whether it’s a company-issued MacBook or an employee’s personal Android phone—is secure. This covers the entire lifecycle of the device, from the moment you hand it to a new starter to the moment you wipe it and recycle it.

Step 1: Write the Rules (The Policy)

You cannot expect employees to secure their devices if you haven’t told them how. The first step in implementation is creating a Topic-Specific Policy on User Endpoint Devices. This shouldn’t be a boring legal document; it needs to be a clear set of rules that staff can actually follow.

Your policy should cover:

Registration: All devices must be registered with IT. No “shadow IT” devices allowed.
Physical Protection: Don’t leave laptops in cars or unattended in public places.
Access Controls: Devices must have passwords, pins, or biometrics enabled.
Software Updates: Users (or IT) must keep the operating system patched.

If drafting policies feels like pulling teeth, Hightable.io offers comprehensive ISO 27001 toolkits that include these templates ready-made. Using a pre-structured policy can ensure you don’t miss the specific requirements the auditor is looking for.

Step 2: Know What You Have (Inventory)

You can’t protect what you don’t know about. This links closely with Annex A 5.9 (Inventory of information and other associated assets).

You need a register of every device that has access to corporate data. This includes:

Device Type (Laptop, Mobile, Tablet)
Serial Number
Assigned User
Operating System Version

Modern Mobile Device Management (MDM) tools like Microsoft Intune or Jamf can automate this for you. If you are a smaller business, a simple, up-to-date spreadsheet is acceptable, provided you actually keep it up to date.

Step 3: Harden the Devices

Now for the technical part. You need to configure these devices so they are secure by default. An “out of the box” laptop is rarely secure enough for ISO 27001 compliance.

Your standard configuration (or “Gold Image”) should include:

Encryption: Enable BitLocker (Windows) or FileVault (macOS). If a laptop is left on a train, the data should be unreadable.
Screen Locks: Configure devices to auto-lock after 5 or 10 minutes of inactivity.
Antivirus/EDR: Ensure next-generation protection (Annex A 8.7) is installed and active.
Automatic Updates: Ensure the OS and apps patch themselves automatically to close security holes (Annex A 8.8).

Step 4: Handle BYOD (Bring Your Own Device)

This is where things get tricky. Employees often want to check email on their personal phones. Annex A 8.1 requires you to secure these devices too, but you can’t just wipe a personal phone if they leave, as you’d delete their family photos.

The solution is Containerisation (also known as Mobile Application Management or MAM).

Using tools like Intune or Google Workspace, you can create a “work profile” on the personal device. You control the work apps (Outlook, Teams, OneDrive), but you can’t see or touch their personal apps (WhatsApp, Photos). This allows you to remotely wipe only the corporate data if the employee leaves or loses the phone.

Step 5: Physical Security

It sounds basic, but physical theft is still a huge risk. Your implementation needs to include training staff on physical security.

Remind them of the “Clear Desk Policy” (Annex A 7.7). A locked laptop is useless if the password is written on a Post-it note stuck to the screen. For high-risk areas, consider using Kensington locks to physically tether devices to desks.

Step 6: The “Leaver” Process

When an employee leaves, getting the device back is only half the battle. You need a process to sanitise the device before it is re-issued to someone else.

This links to Annex A 8.10 (Information Deletion). Simply deleting the user’s files isn’t enough. You should perform a secure factory reset or a secure wipe of the hard drive to ensure no residual data remains before the new user logs on.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

What Will the Auditor Look For?

When the audit day arrives, be prepared to show evidence. The auditor won’t just take your word for it.

Show the Policy: Have your User Endpoint Policy document ready.
Show the Controls: Open your MDM dashboard and show that encryption is turned on for 100% of devices.
Show the Inventory: Present your up-to-date list of assets.
Test a Device: The auditor might ask a staff member to lock their screen or ask what they would do if they lost their phone.

Conclusion

Implementing ISO 27001 Annex A 8.1 is about finding the balance between security and usability. By automating the technical controls (like updates and encryption) and providing clear, sensible rules for your users, you can secure your endpoints without stifling productivity.

If you need support getting your documentation in order, the templates available at Hightable.io are a fantastic resource to ensure your policies are compliant, comprehensive, and audit-ready.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Implement ISO 27001:2022 Annex A 8.1: User Endpoint Devices

Table of contents