ISO 27001 User End Point Devices

I am going to show you what ISO 27001 Annex A 8.1 User Endpoint Devices is, what’s new, give you ISO 27001 templates, and ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Annex A 8.1 User Endpoint Devices?

ISO 27001 Annex A 8.1 User Endpoint Devices is an ISO 27001 control that looks to make sure you have controls in place to protect devices that store, process or transmit data.

ISO 27001 Annex A 8.1 Purpose

The purpose of Annex A 8.1 User Endpoint Devices is to protect information against the risks introduced by using user endpoint devices.

ISO 27001 Annex A 8.1 Definition

The ISO 27001 standard defines Annex A 8.1 as:

Information stored on, processed by or accessible via user endpoint devices should be protected.

ISO 27001 Annex A 8.1 User Endpoint Devices



ISO 27001 User Endpoint Devices Implementation Guide

Endpoint devices are the devices and equipment that people use to get the job done and they need protecting. This control is about the protection of endpoint devices and to secure and protect the data that they process, store and transmit.

Endpoint devices are typically harder to manage as people are a lot more mobile. In the mobile economy it is difficult to predict the environment in which the endpoint device will be used and as a result difficult to predict the risks that you would need to mitigate.

Topic Specific Policy

A starting point is the create of a topic specific policy that clearly sets out what you expect to happen. A topic specific policy on the secure configuration and use of devices is the starting point.

Technical Controls

In this day and age you would need a compelling reason not to have the basic technical controls of encryption and protection against malware software installed. These are a first line of defence. Consideration for layering on top of that endpoint device management solutions that give you more control over what the device can and cannot do is now common place. Where the ability to remote lock or remote wipe a device is available this should also be considered.


Backups present their own challenges. As a rule, for ease, you are not going to have a structured approach to the back up of end point devices. That is unless you need one. What you will have to consider though is if people do personal backups then where are those backups and how secure are they. This can be a real rabbit hole to go down.


A large section of the guidance on this control concerns user responsibility, and rightly so. There is a lot of trust being placed in the users of these devices. Your role here is setting out what is expected, advising, communicating, training and educating. To tell people not to do stupid things like leave these devices unattended, or worse case unattended and logged in. That they should be protected against theft and logged out of when not in use.

Bring Your Own Device (BYOD)

People in smaller organisations really like using their own devices. It is not ideal but is also something that can be overcome. You will consider the technical controls that are in your gift and how they can mitigate risks. Example of access over VPN, or terminal equivalent access can work. Having either manual or automated checks that the devices at least have the basics of malware protection, encryption and are patched to the latest version would be expected. The real kicker here is that legislation often works against you if you allow a personal device as you probably cannot do what you think you can do. An example of this would be thinking you can remote wipe a personal device or ask to view the contents of a personal device. It is easy to allow, but a little a tricker to manage and usually the best course of action is to dig deep in those pockets and find the money to get a work device the person can use.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.

How to pass an audit of ISO 27001 User Endpoint Devices

Time needed: 1 day

How to comply with ISO 27001 Annex A 8.1

  1. Have policies and procedures in place

    Write, approve, implement and communicate the documentation required for user end point devices.

  2. Assess your equipment and perform a risk assessment

    Have an asset management process that includes an asset register. For each asset type perform a risk assessment. Based on the risk assessment implement the appropriate controls to mitigate the risk

  3. Keep records

    For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.

  4. Test the controls that you have to make sure they are working

    Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 Mistakes People Make for User Endpoint Devices

The top 3 mistakes people make for ISO 27001 Annex A 8.1 are

1. Letting people use their own devices

This is not a bad thing actually. Although it comes with some challenges and costs that are going to be far in excess of the cost of just providing a device owned and managed by the organisation. Be sure the appropriate controls are in place and that you can evidence them working.

2. Not encrypting devices

There is no real reason in this day and age to not have encryption. It is built into most operating systems and devices and if not can be easily applied. Having and not having it turned on is worse that not just having it. If you don’t or can’t have it then manage it via risk management and have it on the risk register but where you can deploy it, do, and check it is in place.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.