ISO27001 Annex A 8.1 User Endpoint Devices

Home / ISO 27001 Annex A Controls / ISO27001 Annex A 8.1 User Endpoint Devices

What is ISO27001 Annex A 8.1 User Endpoint Devices?

ISO27001 Annex A 8.1 User Endpoint Devices is an ISO27001 control that looks to make sure you have controls in place to protect devices that store, process or transmit data.


The purpose of Annex A 8.1 User Endpoint Devices is to protect information against the risks introduced by using user endpoint devices.


The ISO27001 standard defines Annex A 8.1 as:

Information stored on, processed by or accessible via user endpoint devices should be protected.

ISO27001:2022 Annex A 8.1 User Endpoint Devices


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Implementation Guide

Endpoint devices are the devices and equipment that people use to get the job done and they need protecting. This control is about the protection of endpoint devices and to secure and protect the data that they process, store and transmit.

Endpoint devices are typically harder to manage as people are a lot more mobile. In the mobile economy it is difficult to predict the environment in which the endpoint device will be used and as a result difficult to predict the risks that you would need to mitigate.

Topic Specific Policy

A starting point is the create of a topic specific policy that clearly sets out what you expect to happen. A topic specific policy on the secure configuration and use of devices is the starting point.

Technical Controls

In this day and age you would need a compelling reason not to have the basic technical controls of encryption and protection against malware software installed. These are a first line of defence. Consideration for layering on top of that endpoint device management solutions that give you more control over what the device can and cannot do is now common place. Where the ability to remote lock or remote wipe a device is available this should also be considered.


Backups present their own challenges. As a rule, for ease, you are not going to have a structured approach to the back up of end point devices. That is unless you need one. What you will have to consider though is if people do personal backups then where are those backups and how secure are they. This can be a real rabbit hole to go down.


A large section of the guidance on this control concerns user responsibility, and rightly so. There is a lot of trust being placed in the users of these devices. Your role here is setting out what is expected, advising, communicating, training and educating. To tell people not to do silly things like leave these devices unattended, or worse case unattended and logged in. That they should be protected against theft and logged out of when not in use.

Bring Your Own Device (BYOD)

People in smaller organisations really like using their own devices. It is not ideal but is also something that can be overcome. You will consider the technical controls that are in your gift and how they can mitigate risks. Example of access over VPN, or terminal equivalent access can work. Having either manual or automated checks that the devices at least have the basics of malware protection, encryption and are patched to the latest version would be expected. The real kicker here is that legislation often works against you if you allow a personal device as you probably cannot do what you think you can do. An example of this would be thinking you can remote wipe a personal device or ask to view the contents of a personal device. It is easy to allow, but a little a tricker to manage and usually the best course of action is to dig deep in those pockets and find the money to get a work device the person can use.

ISO27001 Templates

ISO27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO27001 Toolkit has been specifically designed so you can DIY your ISO27001 certification, build your ISMS in a week and be ISO27001 certification ready in 30 days.


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

How to pass an audit of ISO27001 User Endpoint Devices

Time needed: 1 day

How to comply with ISO27001 Annex A 8.1

  1. Have policies and procedures in place

    Write, approve, implement and communicate the documentation required for user end point devices.

  2. Assess your equipment and perform a risk assessment

    Have an asset management process that includes an asset register. For each asset type perform a risk assessment. Based on the risk assessment implement the appropriate controls to mitigate the risk

  3. Keep records

    For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.

  4. Test the controls that you have to make sure they are working

    Perform internal audits that include the testing of the controls to ensure that they are working.

What the auditor will check

The audit is going to check a number of areas for ISO27001 Annex A 8.1 User Endpoint Devices. Lets go through the main ones:

1. That you have an asset register

The auditor will check that you have an asset register and an asset management process. They will want to see all of the end point devices in an asset register and that they are assigned to people. For this they are also wanting to see bring your own devices (BYOD) or people’s own devices that connect to or interact with the in scope services.

2. That devices are protected and checked

The auditor is going to check that all the appropriate controls are on the end point device with the usual ones being antivirus and encryption. The SOA and the in scope controls is the starting point and specifically the technical controls that you have said are in scope. They want to see that these are checked periodically with evidence of the checks and they also want to see what you do if the checks fail, with evidence of an example of that. This is covered in more depth in ISO27001 Annex A Control 5.9 Inventory of information and other associated assets.

A great one here is that they will also check that you check that devices used by auditors and testers as part of verification activities are secure to your standards before allowing them to connect. This is covered in more detail in ISO27001 Annex A 8.34 Protection of information systems during audit testing

3. Anyone they audit

They will likely check anyone that they audit. The usual operating approach is to get the person to share their screen and then to direct them to show the technical controls in place. This is usually ‘show me the antivirus is working’ as an approach. It is less common for them to observe the desk top and the trash for evidence of things that should not be there. You really should get everyone that is being audited to perform house keeping before the audit with the assumption they will be asked to share their screen. You can refuse and base that on confidentiality but they will want to see a sample of devices so if not you, then it will be someone.

Top 3 Mistakes People Make

The top 3 mistakes people make for ISO27001 Annex A 8.1 are

1. Letting people use their own devices

This is not a bad thing actually. Although it comes with some challenges and costs that are going to be far in excess of the cost of just providing a device owned and managed by the organisation. Be sure the appropriate controls are in place and that you can evidence them working.

2. Not encrypting devices

There is no real reason in this day and age to not have encryption. It is built into most operating systems and devices and if not can be easily applied. Having and not having it turned on is worse that not just having it. If you don’t or can’t have it then manage it via risk management and have it on the risk register but where you can deploy it, do, and check it is in place.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing