ISO 27001 A.8.1: User endpoint devices
What This Control Requires
Information stored on, processed by or accessible via user endpoint devices shall be protected.
In Plain Language
Laptops, phones, tablets - these are where your data actually lives day to day, and they are the number one way attackers get in. If a developer's unencrypted laptop gets stolen from a coffee shop, you could be looking at a reportable breach before lunch. Endpoint protection is not just antivirus anymore. You need multiple layers: device hardening and encryption, proper access controls and data loss prevention, modern endpoint protection software, and a managed lifecycle from provisioning through to decommissioning. With remote work now the norm and BYOD policies everywhere, your endpoints regularly operate outside any corporate network perimeter. Auditors will want to see that your security posture holds up regardless of where the device is or who owns it.
How to Implement
Start with an endpoint security policy covering all device types - corporate and BYOD. Define what is expected for each category and make sure the rules are enforceable, not aspirational. Set up hardening baselines using CIS benchmarks or similar. The non-negotiables: full-disk encryption on every endpoint, automatic screen lock after inactivity, host-based firewall enabled, unnecessary services and ports disabled, local admin accounts locked down, BIOS/UEFI password protection, and secure boot turned on. Deploy endpoint protection on all devices. At minimum you want next-generation antivirus or EDR, host-based intrusion prevention, web filtering or DNS-based security, and a personal firewall. For high-security environments, add application whitelisting. Make sure everything is centrally managed with automatic updates and real-time reporting. Roll out an MDM or UEM platform. Use it to enforce policies, push software and patches, monitor compliance, and remotely wipe lost or stolen devices. No device should touch organisational resources without being enrolled first. Nail down patch management. Critical patches within 72 hours, everything else within 30 days. Automate deployment and monitor compliance. Consider conditional access policies that block unpatched devices from sensitive resources - nothing motivates timely patching like losing access. Protect data on the endpoints themselves. Deploy DLP tools, restrict or manage USB ports, control which apps can access organisational data, and use containerisation on BYOD devices. Require secure connections (VPN or ZTNA) for remote access.
Evidence Your Auditor Will Request
- Endpoint security policy covering all device types
- Endpoint hardening baseline configuration standards
- EDR or endpoint protection deployment and compliance records
- Endpoint management platform enrollment and compliance reports
- Patch compliance reports for endpoints
Common Mistakes
- Not all endpoints have full-disk encryption enabled
- Endpoint protection software is not deployed consistently across all devices
- BYOD devices access organizational data without management controls
- Endpoint patches are not deployed within defined timeframes
- No centralized visibility into endpoint security posture across the organization
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.6 | Related |
| SOC 2 | CC6.8 | Related |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(d) | Related |
Frequently Asked Questions
Should we allow BYOD or provide corporate devices?
What is EDR and do we need it?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment