User Endpoint Devices - ISO 27001 Annex A Control

ISO 27001 Annex A 8.1

The laptop on a desk is where most security policies meet reality.

ISO 27001 Annex A 8.1 - User Endpoint Devices

User endpoint devices - laptops, desktops, mobile phones, tablets - are where most staff actually interact with information. They are also the most exposed assets in the estate. They travel, they connect to untrusted networks, they get lost, and they are the first point of compromise in most attacks. The control asks for these devices to be protected through technical configuration, monitoring and user behaviour.

Baseline technical controls include full disk encryption, automatic patching, anti-malware, screen lock with short idle timeout, and management through a central tool that lets the organisation enforce policy and respond to incidents. Mobile device management for phones and tablets brings the same protections to those devices. The combination protects against the most common loss and theft scenarios.

Beyond the device itself, the control covers what staff can do with it - what they can install, what networks they can connect to, what data they can copy off, and what they should do if it is lost or compromised. The endpoint policy should set these expectations and the technical controls should enforce them where practical.

Endpoint management is one of the highest-leverage investments in information security. A central tool that pushes patches, enforces encryption, controls software installation and provides remote wipe protects every device the same way without relying on each user to remember the rules.

The audit looks at consistency - whether the technical baseline is actually applied to every device or whether there are exceptions that have grown over time. A policy that requires encryption is no protection if a sample of devices turns out to be unencrypted. The endpoint management tool's reporting is usually the cleanest evidence.

Practical Compliance Guidance

Endpoint protection is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. The equipment register tracks issued devices.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What technical baseline is typically expected?

Encryption at rest, automatic patching, current anti-malware, screen lock with short idle timeout, central management with the ability to enforce policy and remote wipe. The exact baseline should match the sensitivity of data accessed and any sector-specific requirements.

Can staff use personal devices for work?

Bring-your-own-device arrangements are workable but need additional controls - typically a managed work container on the personal device, defined separation of work and personal data, clarity on what the organisation can wipe, and acceptance from the user of the management implications. The policy should set out the position before personal devices are used.

How is software installation controlled?

Through a combination of technical controls (admin rights restricted, application allowlisting where appropriate, management tools that distribute approved software) and policy (acceptable use rules, request process for additional software). The controls should match the operational pattern - heavy-handed restrictions can drive workarounds.

Further Resources