Requirement
Requirement lens
This control asks whether information stored on, processed by, or accessible through user endpoint devices is protected.
“Information stored on, processed by or accessible via user end point devices shall be protected.”
Plain-language meaning
The organization should protect laptops, desktops, mobile phones, tablets, personal devices, and other endpoint devices that users rely on to access organizational information.
Endpoint protection is not just anti-malware. It includes device standards, patching, encryption, remote access, authentication, user training, backup decisions, loss/theft reporting, session locking, and rules for what may be stored locally.
Why this matters
User endpoint devices are one of the easiest paths into organizational information. They leave the building, connect to untrusted networks, store cached data, run user-installed software, and are often stolen or lost.
If a device is left logged in, stolen, infected, or connected insecurely, the result can be loss of confidentiality, integrity, and availability.
Implementation guidance
Implementer focus
Start with a device policy and inventory. Then enforce security baseline controls before allowing the device to access organizational information.
1. Define endpoint device policy
The policy should cover:
- permitted device types;
- organization-owned and personal/BYOD devices;
- minimum security baseline;
- patch and update requirements;
- malware protection where applicable;
- encryption requirements;
- screen lock and timeout;
- remote access and VPN requirements;
- local storage limits;
- cloud backup rules;
- loss/theft reporting;
- separation of personal and work data where needed;
- user training and awareness.
2. Require endpoint security baseline
Examples of baseline controls:
| Control area | Practical expectation |
|---|---|
| Patch management | Device receives security updates promptly |
| Malware protection | Current anti-malware/EDR where applicable |
| Encryption | Full-disk/device encryption for portable devices |
| Authentication | Strong user authentication and device authentication |
| Session locking | Auto-lock after risk-based timeout |
| Remote access | Approved VPN or secure access path |
| Management | MDM/endpoint management where applicable |
| Lost/stolen process | User knows who to notify and how fast |
3. Control remote connections
Remote access should authenticate both the authorized user and, where appropriate, the device. Users should know which wireless networks are acceptable and when VPN or another secure method is required.
4. Manage unattended sessions
Unattended logged-in devices are vulnerable to misuse. Screen locks, password-protected screensavers, and session timeouts should match the sensitivity of the system and operating environment.
5. Include BYOD risk
Personal devices may not be owned by the organization, but organizational information accessed through them remains in scope. BYOD should have clear enrollment, access, separation, support, and removal rules.
Audit guidance
Auditor focus
Confirm the organization knows which user endpoints access information and can prove baseline controls are implemented, not merely documented.
Auditors should verify:
- endpoint device inventory;
- user endpoint policy;
- training and awareness records;
- authorization for device use;
- device compliance evidence;
- patch/update status;
- malware protection or compensating rationale;
- encryption status;
- remote access configuration;
- local storage and cloud backup rules;
- session timeout and screen lock settings;
- BYOD controls;
- lost/stolen device response process.
Audit checks should include whether users can disable controls such as screen locks, and whether timeout periods are appropriate for high-risk locations such as remote work, travel, or shared spaces.
Evidence examples
Evidence quality
Strong evidence proves endpoint policy, inventory, compliance, technical enforcement, and user awareness.
| Evidence | What it proves |
|---|---|
| Endpoint policy/standard | Rules are defined |
| Endpoint inventory | Devices are known |
| MDM/endpoint compliance report | Baseline controls are enforced |
| Patch/EDR/encryption reports | Technical security is implemented |
| Remote access logs/configuration | Secure connection controls exist |
| Loss/theft procedure and records | Incidents can be handled |
| Training records | Users understand responsibilities |
| BYOD enrollment/removal records | Personal devices are controlled |
Strong evidence
- Device inventory includes organization-owned and BYOD endpoints.
- Endpoint compliance reports show patching, encryption, lock, and malware status.
- Remote access requires approved authentication and secure connection.
- Users are trained on loss/theft and secure network use.
- Local storage and cloud backup rules are defined.
- Screen lock timeout is enforced and risk-based.
Weak evidence
- Policy exists but no endpoint compliance evidence exists.
- BYOD is allowed informally.
- Users can disable screensavers or locks.
- Patch status is unknown.
- Lost/stolen process is not understood by users.
- Remote access relies only on password from unmanaged devices.
Common failures
Implementation watchouts
A.8.1 fails when endpoint access is granted before the device is known, managed, patched, encrypted, and monitored.
| Failure | Why it matters |
|---|---|
| Unmanaged BYOD | Organization data is accessed from uncontrolled devices |
| No device inventory | Scope and accountability are unclear |
| Weak session timeout | Unattended devices expose access |
| Patch gaps | Known vulnerabilities remain exploitable |
| No encryption | Lost/stolen devices become confidentiality incidents |
| Weak remote access | Stolen devices or credentials can be exploited |
| Users not trained | Loss/theft and unsafe networks are mishandled |
Exam traps
Exam focus
A.8.1 is broader than laptop encryption or anti-malware. It covers all information stored on, processed by, or accessible through user endpoint devices.
| Trap | Correct interpretation |
|---|---|
| Endpoint security means anti-malware only | It also includes patching, encryption, authentication, remote access, timeout, backup, storage, and user training |
| BYOD is out of scope | Organizational information accessed from BYOD remains in scope |
| VPN alone protects endpoint use | Device security, user authentication, storage, and loss/theft controls still matter |
| Screen timeout is only convenience | It prevents misuse of unattended logged-in sessions |
| Mobile devices are only physical assets | They are also technical access points into information systems |
Related controls and concepts
- A.8 Technological Controls MOC
- A.6.7 Remote Working
- A.7.8 Equipment Siting and Protection
- A.7.9 Security of Assets Off-Premises
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- Endpoint Device Security Standard
- Endpoint Device Inventory and Compliance Register
- Endpoint Loss or Theft Response Checklist
- Remote Access and Endpoint Connection Checklist
- A.8.1 Audit Evidence Pack
- A.8.1 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.1 protects information accessed through user endpoints. Good evidence shows known devices, enforced baseline controls, secure remote access, loss/theft response, and trained users.
- Define endpoint rules before granting access.
- Inventory organization-owned and BYOD endpoints.
- Enforce patching, encryption, malware protection, and screen lock where applicable.
- Secure remote connections and authenticate users/devices.
- Train users on loss/theft, untrusted networks, and local storage.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Endpoint security
- Remote working
- Audit
Note Metadata
Aliases: A.8.1, User End Point Devices, User Endpoint Devices
Source: 05 Annex A Technological Controls/A.8.1 User End Point Devices.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.8.1 Audit Evidence Pack
- ISO 27001 A.8.5 - Secure Authentication
- ISO 27001 A.8.7 - Protection Against Malware
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.1 User End Point Devices
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-027 - Endpoint, Privileged Access, and Information Access Restriction
- ISO 27002 Annex A Control Interpretation Map
- A.8.1 Audit Checklist
- Endpoint Device Inventory and Compliance Register
- Endpoint Device Security Standard
- Endpoint Loss or Theft Response Checklist
- Malware Protection Standard
- Remote Access and Endpoint Connection Checklist
- Annex A Controls MOC