Auditing ISO 27001 Annex A 8.1 User Endpoint Devices is a technical validation of the security posture governing mobile and fixed hardware. The Primary Implementation Requirement is the central management of configuration and encryption, providing the Business Benefit of protecting sensitive data from unauthorised local access.
ISO 27001 Annex A 8.1 User Endpoint Devices Audit Checklist
This technical verification tool is designed for lead auditors to establish the security posture and management of end-user hardware. Use this checklist to validate compliance with ISO 27001 Annex A 8.1.
1. Endpoint Security Policy Formalisation Verified
Verification Criteria: A documented policy exists that explicitly defines the security requirements for user endpoint devices, including laptops, tablets, and smartphones.
Required Evidence: Approved “Endpoint Security Policy” or “Mobile Device Policy” with evidence of recent management review and staff distribution.
Pass/Fail Test: If the organisation cannot produce a formal policy specifying the technical standards for endpoint devices, mark as Non-Compliant.
2. Full Disk Encryption (FDE) Enforcement Confirmed
Verification Criteria: Technical controls are active on all managed endpoints to ensure that data remains inaccessible in the event of hardware loss or theft.
Required Evidence: MDM (Mobile Device Management) dashboard reports or Group Policy Object (GPO) settings showing BitLocker, FileVault, or equivalent status as “Enabled” for 100% of sampled devices.
Pass/Fail Test: If a sampled endpoint device containing organisational data is found with encryption disabled or unmanaged, mark as Non-Compliant.
3. Automated Idle-Time Screen Lock Validated
Verification Criteria: Managed devices are configured to automatically lock the screen after a defined period of inactivity to prevent unauthorised local access.
Required Evidence: MDM profiles or GPO reports showing mandatory screen-lock timeouts (e.g. 5–15 minutes) and a “password required on wake” setting.
Pass/Fail Test: If an auditor can access an unattended user device that has been idle for longer than the policy-defined period without a password prompt, mark as Non-Compliant.
4. Anti-Malware and Real-Time Protection Presence Confirmed
Verification Criteria: Endpoint Protection (EPP) or Endpoint Detection and Response (EDR) software is installed, active, and receiving regular signature or heuristic updates.
Required Evidence: EDR/AV central management console report showing “Healthy” status and recent update timestamps for all active endpoints.
Pass/Fail Test: If any managed device is identified as having disabled real-time protection or out-of-date definitions (greater than 48 hours), mark as Non-Compliant.
5. Remote Wipe capability and Execution Evidence Identified
Verification Criteria: The organisation possesses the technical capability to remotely sanitise or lock endpoint devices reported as lost or stolen.
Required Evidence: MDM “Command History” logs showing successful wipe or lock commands issued to decommissioned or lost devices.
Pass/Fail Test: If the organisation cannot technically execute a remote wipe on a sampled managed smartphone or laptop, mark as Non-Compliant.
6. Least Privilege (Standard User) Enforcement Verified
Verification Criteria: End-users operate with “Standard User” privileges on their primary devices, with administrative rights restricted to authorised IT personnel only.
Required Evidence: Local administrator group reports for a sampled batch of devices showing that non-IT staff accounts are excluded from administrative roles.
Pass/Fail Test: If a non-technical staff member is found to have local administrative privileges on their corporate laptop without an approved exception, mark as Non-Compliant.
7. Personal Device (BYOD) Management Alignment Confirmed
Verification Criteria: Where personal devices access corporate data, they are subject to management via containerisation or Mobile Application Management (MAM) controls.
Required Evidence: Intune/MAM configuration reports showing “App Protection Policies” enforced for corporate applications on personal assets.
Pass/Fail Test: If staff can download corporate emails or documents to unmanaged personal devices without technical restriction or containerisation, mark as Non-Compliant.
8. Peripheral and External Port Restriction Validated
Verification Criteria: Technical controls restrict the use of high-risk peripheral devices or unauthorised USB storage to prevent data exfiltration and malware ingress.
Required Evidence: MDM or EDR configuration logs showing USB “Read-Only” enforcement or a whitelist of approved external hardware.
Pass/Fail Test: If a standard user can mount an unencrypted, unmanaged USB drive and transfer corporate data to it, mark as Non-Compliant.
9. OS and Application Patch Compliance Monitoring Verified
Verification Criteria: Endpoints are monitored for vulnerabilities and are subject to a mandatory patching schedule for Operating Systems and critical third-party applications.
Required Evidence: Vulnerability management dashboard or patching logs showing “Compliant” status for critical security updates across the endpoint fleet.
Pass/Fail Test: If a device has failed to install “Critical” security patches older than 14 days without a documented technical justification, mark as Non-Compliant.
10. Secure Decommissioning and Sanitisation Records Present
Verification Criteria: Decommissioned or returned endpoint devices undergo a verified data sanitisation process before disposal or re-issue.
Required Evidence: Certificates of sanitisation (e.g. NIST 800-88 compliant) or technician logs cross-referenced against the Asset Register’s “Retired” status.
Pass/Fail Test: If a returned laptop is re-imaged or re-issued without a verified cryptographic erase or multi-pass wipe being recorded, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Device Inventory | Tool syncs with HR list and assumes every employee has “one laptop”. | Verify Shadow IT. The auditor must check for devices in the MDM that aren’t in HR, and vice versa. |
| Encryption Status | GRC platform identifies “Policy.pdf” as evidence. | Demand the FDE Report. Policy is intent; a live BitLocker compliance report from the MDM is evidence. |
| Patch Management | Tool records “Patching is enabled” via a static API check. | Verify Stale Devices. GRC tools often ignore devices that haven’t synced in 30 days but still hold data. |
| BYOD Control | Tool identifies a signed “BYOD Agreement” exists. | Verify Containerisation. Test if a user can copy-paste data from a managed app (Outlook) to a personal app (Notes). |
| Privilege Review | Platform identifies IT staff as “Administrators”. | Check the Standard Users. GRC tools often fail to flag that “Standard Users” can still disable local security agents. |
| Malware Protection | Tool confirms “AV is installed” on the device. | Verify Signature Age. GRC tools miss that AV is useless if the agent hasn’t updated its definitions in months. |
| Sanitisation | Platform marks a task as “Done” when an asset is retired. | Demand the Certificate. A GRC “tick” does not prove that NIST-compliant wiping actually occurred. |
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
About the author
