Annex A 8.1 verified ISO/IEC 27001:2022
Protection of User Endpoint Devices
Ensure all laptops, mobiles, and tablets are secure to protect stored information.
record_voice_over
Plain language
This control is all about keeping your devices like laptops, phones, and tablets secure. If they're not protected, sensitive information could be lost or stolen, potentially harming your organisation's reputation and finances. It's like locking the doors to your house to keep your belongings safe.
01 - Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
Information stored on, processed by or accessible via user end point devices shall be protected.
verified ISO/IEC 27001:2022 Annex A 8.1
priority_high
Why it matters
If user endpoint devices are compromised, attackers can access or exfiltrate data stored on or reachable via the device, causing breaches and loss.
settings
Operational notes
Use full-disk encryption, prompt OS/app patching, EDR/anti-malware with monitoring, and device hardening (screen lock, MDM, least privilege) for endpoints.
02 - Implement
build
Implementation tips
- The IT manager should develop a policy for securing all user devices. This policy should define how devices like laptops and smartphones should be configured and used. It should include rules on how software updates are managed and what security features must be enabled.
- HR should ensure that all employees receive training on this policy. This can be done through initial onboarding sessions and regular refreshers. Use real-life scenarios to make the importance of these policies clear and relatable.
- The IT manager should implement tools to enforce these security settings automatically. This could involve using technology that remotely manages device configurations and updates. Ensure these tools are compliant with Australian regulations like the Privacy Act 1988.
- Procurement should ensure new devices comply with the security policy before purchase. This means checking that devices support required security features like encryption and remote locking. This can be confirmed through vendor specifications and certifications.
- The board should regularly review reports from the IT team to ensure devices remain compliant. This involves setting up regular reporting cycles and reviewing compliance metrics. Hold discussions on any issues or risks highlighted in these reports.
03 - Audit
fact_check
Audit / evidence tips
- AskRequest the organisation's policy on user endpoint device security. GoodThe policy should be comprehensive, up-to-date, and communicated across the organisation.
- AskRequest evidence of training programs on securing user devices. GoodTraining should be regularly updated and mandatory for all employees, with high participation rates.
- AskRequest records of device configuration management tools in use. GoodTools should be robust, ensuring all devices are compliant with the latest security standards.
- AskRequest documentation on device procurement procedures. GoodThere should be evidence that security features are verified before new devices are approved for use.
- AskRequest recent compliance reports or dashboards presented to the board. GoodReports should show ongoing compliance with security policies and proactive risk management.
04 - Mappings
link
Cross-framework mappings
How Annex A 8.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.6 | E8-RA-ML3.6 requires a specific endpoint hardening measure: enabling Credential Guard for secure credential storage | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.5 | E8-AH-ML2.5 requires a Microsoft Office endpoint configuration to prevent activation of OLE packages | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (22) expand_less | ||
| ISM-0345 | ISM-0345 requires a specific endpoint protection measure: disabling external interfaces that allow DMA to block a direct memory access at... | |
| ISM-0591 | ISM-0591 requires organisations to use evaluated peripheral switches when sharing peripherals between systems to prevent security breache... | |
| ISM-0682 | ISM-0682 requires Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices to reduce proximity-based compromise and... | |
| ISM-0687 | ISM-0687 requires ASD-approved mobile platforms for accessing SECRET or TOP SECRET systems or data, with operation aligned to the applica... | |
| ISM-0864 | ISM-0864 requires mobile devices to prevent personnel from disabling or modifying provisioned security functionality | |
| ISM-0866 | ISM-0866 requires users to avoid viewing sensitive or classified information on mobile devices in public unless they can minimise the ris... | |
| ISM-0871 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to reduce loss or theft | |
| ISM-1082 | ISM-1082 requires the organisation to develop, implement and maintain a mobile device usage policy that governs how mobile devices are used | |
| ISM-1084 | ISM-1084 addresses physical protection during transport by mandating approved security bags when a mobile device cannot otherwise be secured | |
| ISM-1198 | ISM-1198 requires Bluetooth pairing on non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices to be performed so connections ar... | |
| ISM-1199 | ISM-1199 requires Bluetooth pairings to be removed from non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices when they are no... | |
| ISM-1400 | ISM-1400 requires organisations to enforce separation of classified work data from personal data on privately-owned endpoint devices used... | |
| ISM-1482 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned mobile devices and desktop computers | |
| ISM-1533 | ISM-1533 requires the organisation to develop, implement and maintain a mobile device management (MDM) policy | |
| ISM-1554 | ISM-1554 requires heightened protection for user endpoint devices during overseas travel to high or extreme risk countries by using newly... | |
| ISM-1686 | ISM-1686 requires enabling Credential Guard as a specific technical control to protect user credentials from unauthorised access on Windo... | |
| ISM-1866 | ISM-1866 requires personnel on privately-owned mobile devices or desktop computers to be prevented from storing classified data locally | |
| ISM-1868 | ISM-1868 requires that SECRET and TOP SECRET mobile devices do not use removable media unless ASD approval is obtained beforehand | |
| ISM-1886 | ISM-1886 requires mobile devices to be configured to operate in supervised (or equivalent) mode to enforce stronger device management and... | |
| ISM-1888 | ISM-1888 focuses on one specific endpoint protection measure: enforcing secure lock screens on mobile devices | |
| ISM-1896 | ISM-1896 requires enabling memory integrity functionality as a specific technical safeguard to protect credentials from memory-based atta... | |
| ISM-1898 | ISM-1898 requires a specific endpoint type (Secure Admin Workstations) to be used for administrative activities to protect privileged act... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0161 | ISM-0161 requires physical security for unused IT equipment and media to prevent unauthorised access | |
| handshake Supports (3) expand_less | ||
| ISM-1080 | ISM-1080 requires use of ASD-approved/high assurance algorithms when encrypting media to protect data at rest from unauthorised access | |
| ISM-1450 | ISM-1450 reduces the risk of unauthorised capture or exfiltration of sensitive discussions and visuals by preventing microphones and webc... | |
| ISM-2097 | ISM-2097 requires mobile devices to use always on VPN functionality to reduce exposure of data accessed or transmitted by the device | |
| link Related (10) expand_less | ||
| ISM-0869 | Annex A 8.1 requires protection of information stored on and accessible via user endpoint devices | |
| ISM-0870 | Annex A 8.1 requires organisations to protect information stored on or accessible via endpoint devices | |
| ISM-0874 | Annex A 8.1 requires organisations to protect information accessible via endpoint devices such as laptops and mobiles | |
| ISM-1059 | Annex A 8.1 requires organisations to protect information stored on, processed by, or accessible via user endpoint devices | |
| ISM-1195 | Annex A 8.1 requires protection of information on user endpoint devices, which commonly relies on consistent configuration and policy enf... | |
| ISM-1196 | Annex A 8.1 requires protection of information accessible via user endpoint devices, including mobiles and tablets | |
| ISM-1200 | Annex A 8.1 requires protecting information accessible via endpoint devices, including reducing the risk of unauthorised access through l... | |
| ISM-1341 | Annex A 8.1 requires protecting information stored on or accessible via endpoint devices, including detecting and preventing malicious ac... | |
| ISM-1867 | Annex A 8.1 requires organisations to protect information stored on, processed by, or accessible via endpoint devices | |
| ISM-1887 | Annex A 8.1 requires protecting information stored on and accessible via endpoint devices, particularly against loss or theft | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
school
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.