To protect information against risk of loss or accidental exposure, ISO27001 requires us to implement security measures on endpoint devices. Examples of which, include;
Laptops
Desktops
Tablets
Smartphones
Tablets
Hubs
Servers
USB drives
CCTV
Cameras
Printers
Although most people will think of endpoint devices as being mobile devices, keep in mind that endpoint devices refer to any device which, as you expect, sits on the edge of your infrastructure.
What does the standard require?
The standard states that “Information stored on, processed by or accessible via user endpoint devices shall be protected.” (A8.1 – User endpoint devices.)
Why is this required?
Many years ago, data lived safely within office buildings and secure server rooms, which were tightly controlled. To some extent, this is still true, but now, with the proliferation of mobile and digital devices, the attack surface has grown exponentially. Add to this the fact that remote working is the norm, we find ourselves in a world where the devices we hold in our hands are often the points of access into our corporate world.
Without safeguards and protection on these endpoint devices we run the risk of data loss due to accidental or deliberate actions carried out by the user.
One only needs to think about how many mobile devices are lost or stolen to know that we are at risk, and therefore at risk of reputational damage and regulatory fines.
What the auditor is looking for
The ISO27001 auditor will look for evidence of both technical and organisational security measures, which could include the following;
Asset Register (A5.9 - Inventory of information and other associated assets)
Acceptable Use Policy (A5.10 - Acceptable use of information and other associated assets)
Access Control Policy (A5.15 – Access Control)
Access Rights (A5.18 – Access Rights)
Encryption is enabled.
2-Factor Authentication (2FA) enabled on applications and systems.
Malware and anti-virus software installed and managed.
Mobile Device Management (MDM) software.
Endpoint Detection and Response (EDR) software.
Clear Screen and Clear Desk Policy (A7.7 - Clear desk and clear screen)
Awareness, education and training (e.g. A7.9 - Security of assets off-premises)
Procedures to deal with end-of-life equipment.
Incident Logs.
What do you need to do?
There are a couple of key steps to take in relation to this ISO27001, and the first is to establish the risk you’re facing. If you haven’t already, review your physical assets so that you can understand what end-point devices there are. This will be part of your asset discovery process when you built your inventory of assets (A5.9 - Inventory of information and other associated assets).
Identify any risks you face, log these on your risk register, and identify what controls you need to implement to manage the risk. For example, you might look to implement an MDM solution, malware protection, or patch management process.
The next critical step is to ensure your policies reflect your drive to manage end-point devices. For example, you might include in your Acceptable Use Policy, which you developed as part of Annex A control (A5.10 - Acceptable use of information and other associated assets), how to handle mobile devices.
Access Control Policies (A5.15 – Access Control), and Clear desk and screen policies (A7.7 - Clear desk and clear screen) should also refer to end-point devices.
We would suggest these are the minimum requirements, but the risk assessment piece is of critical importance as it requires that you assess what controls you need to implement for individual end-point devices.
Q & A
How do we treat personal devices?
This depends on your company policy on the use of ‘Bring Your Own Device’ (BYOD). Is this acceptable? If so, then you need to include something within your Acceptable Use Policy (A5.10 - Acceptable use of information and other associated assets) and state what you expect. For example, you can permit the use of BYOD, but you need to provide a list of conditions and expectations. These may include keeping the device up to date, installing malware protection, and enabling encryption. You might also include the fact that you may audit the device, or install remote monitoring, or Mobile Device Management (MDM) software.
ISO27001 is a risk based management system, so you need to evaluate the risk to your business and develop an appropriate response and controls based upon that.
Difficulty rating
We rate this a 3 out of 5 difficulty rating. Depending upon your risk profile and the kinds of end-point devices you use, this ISO27001 control can be quite simple or complex. This control isn’t too technical, but it will require a careful evaluation of the security controls available on a variety of end-point devices, therefore it can quickly become technical. For example, the evaluation of solutions available for MDM and EDR can get quite complex, and only after careful consideration will you know which is the best solution for you.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
댓글