top of page

ISO 27001 Control 8.1: User Endpoint Devices

Writer's picture: Alan ParkerAlan Parker

Protecting Organisational Data on the Go

Introduction

User endpoint devices form a critical link in any organisation’s information security chain. Whether owned by the organisation or personally by employees (BYOD), they can access, store, and process sensitive data, making them a prime target for adversaries. By establishing robust policies and controls, organisations can significantly reduce the security risks introduced by the use of such devices.


Purpose

The primary objective of securing user endpoint devices is to protect information stored, processed, or accessed via these devices. This includes ensuring confidentiality, integrity, and availability, even when devices are used in potentially insecure environments.


Policy and Configuration

Topic-Specific Policy

  • Develop a clear, topic-specific policy covering configuration and handling of user endpoint devices.

  • Communicate this policy to all relevant personnel, ensuring that they understand both the requirements and their responsibilities.


Core Considerations

  1. Information Classification: Define what types of information (and classification levels) can be stored on or processed by each class of endpoint device.

  2. Device Registration: Register endpoint devices to maintain an inventory, track ownership, and manage lifecycle events.

  3. Physical Protection: Enforce measures to secure devices against theft or damage (e.g., locks, alarms, monitored lockers).

  4. Software Installation Restrictions: Implement controlled installation of applications, potentially using remote administrative capabilities.

  5. Software Updates: Configure automatic updates for operating systems and applications to address vulnerabilities promptly.

  6. Network Connections: Establish rules for connecting to internal systems, public networks, or any off-premises networks. Personal firewalls and VPN usage may be mandatory.

  7. Access Controls: Enforce strong authentication methods such as biometrics or multi-factor authentication.

  8. Encryption: Protect data at rest on user endpoint devices through encryption.

  9. Malware Protection: Ensure anti-malware solutions are in place and kept up to date.

  10. Remote Disabling: Enable the ability to remotely lock or wipe devices to protect sensitive data if a device is lost or stolen.

  11. Backups: Implement backup mechanisms for crucial data to prevent data loss.

  12. Web Services and Applications: Define acceptable usage policies for web-based services and applications.

  13. User Behaviour Analytics: Monitor user endpoints for suspicious or anomalous behaviour (see Section 8.16).

  14. Removable Storage: Control the use of removable media and consider disabling ports (e.g., USB) if not essential.

  15. Partitioning: Where feasible, separate organisational data from personal data through containerisation or partitioning.


Sensitive Information Considerations

In cases where highly sensitive information is handled, consider preventing data from being stored locally on the device. Technical safeguards may include:

  • Disabling local file downloads.

  • Blocking the use of removable storage.

  • Using virtual desktop or sandboxed environments.


User Responsibilities

All end users should understand and follow best practices for device security. This includes:

  1. Session Management: Log off or lock the device when not in use.

  2. Physical Security: Avoid leaving devices unattended or in unsecured public areas.

  3. Public Use Caution: Prevent shoulder surfing in crowded settings and use privacy screens if necessary.

  4. Incident Reporting: Follow organisational procedures if a device is lost, stolen, or compromised.


Personal Devices (BYOD)

Where personal devices are allowed:

  • Separation of Personal and Work Data: Use software tools to compartmentalise corporate data.

  • Acknowledgement of Organisational Rights: Mandate policies that enable remote wiping of corporate data if a device is lost, stolen, or an employee leaves the organisation.

  • Legal and Ownership: Provide clear guidelines on intellectual property rights and potential conflicts.

  • Software Licensing: Clarify licensing obligations for organisation-provided software installed on personal devices.


Wireless Connections

Organisations should establish procedures for:

  • Configuring wireless connectivity with secure protocols.

  • Limiting usage of risky public Wi-Fi and ensuring secure VPN tunnels when remote.

  • Allocating sufficient bandwidth for critical operations like backups and updates.


Key Concepts and Domains

  • Control Type: Preventive

  • Security Properties: Confidentiality, Integrity, Availability

  • Cybersecurity Concepts: Protection

  • Operational Capabilities: Asset Management, Information Protection


Conclusion

User endpoint devices are indispensable for modern workflows but also pose significant security challenges. By defining clear policies, implementing strong technical controls, and fostering user awareness, organisations can reduce risks and ensure that sensitive data remains protected—wherever it is accessed, stored, or processed.


Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page