A.8.1 — User Endpoint Devices

A field sales representative opens their laptop on a train — no privacy screen. In the cafe next door, a colleague logs into the CRM over an open Wi-Fi network. At home, an intern uses a personal tablet for project work without anyone knowing which apps are installed. A.8.1 addresses exactly these everyday risks: the control requires clear rules for every device that processes corporate data.

Whether it is a company-issued laptop, a work smartphone or a personal tablet under BYOD — every endpoint is a potential attack vector. The control demands a documented policy covering registration, configuration, usage and disposal.

What does the standard require?

Create an endpoint policy. A documented policy must exist for all device types (corporate and personal), covering registration, configuration, usage and protective measures.
Physical and technical safeguards. Devices must be secured against theft and unauthorized access — through screen lock, disk encryption, malware protection and restrictive software installation.
Define user responsibilities. Employees must know that they are expected to lock devices, protect them from unauthorized access and exercise special caution in public places.
BYOD rules. Where personal devices are permitted, work and personal data must be separated, remote wipe must be possible and additional safeguards must be contractually agreed.
Secure network connections. Wireless connections must be secured and backup procedures for endpoints must be defined.

In practice

Maintain device registration and inventory. Every endpoint that processes corporate data is recorded in an asset register — with serial number, assigned person, installed operating system and security status. Without this inventory, meaningful control is impossible.

Define and enforce a security baseline. A baseline specifies: disk encryption active, OS updates applied within 14 days, malware protection active, screen lock after 5 minutes. This baseline is enforced and monitored automatically through an MDM or endpoint management tool.

Establish a loss and theft process. What happens when a device goes missing? The answer must be documented: report to IT, trigger remote wipe, reset passwords for all affected accounts, notify the ISO. Without a defined process, days often pass between loss and response.

Handle decommissioning securely. Before a device is returned to the manufacturer, resold or disposed of, all data must be securely erased. A factory reset is sufficient for encrypted devices — provided encryption was active from the start.

Typical audit evidence

Auditors typically expect the following evidence for A.8.1:

Endpoint policy — documented rules for configuration, usage and BYOD (see Endpoint Security Policy in the Starter Kit)
Device inventory — complete list of all registered endpoints with assignments and security status
MDM dashboard or compliance report — evidence of baseline adherence
Loss and theft reports — documented incidents with response evidence
BYOD agreements — signed usage agreements for personal devices

KPI

Percentage of endpoints compliant with the endpoint security baseline

Measured as a percentage: how many of your registered endpoints meet all requirements of the defined security baseline? Target: 95-100%. Devices that fail the baseline should be automatically blocked from the corporate network or quarantined.

Supplementary KPIs:

Percentage of devices running a current OS version (target: above 90%)
Mean time between loss report and remote wipe (target: under 4 hours)
Percentage of BYOD devices with an active MDM profile

BSI IT-Grundschutz

A.8.1 maps to several BSI modules that address endpoints from different perspectives:

SYS.2.1 (General Client) — the core module for workstations. Requires hardening, patch management, malware protection and user policies.
SYS.3.1 (Laptop) — additional requirements for mobile devices: disk encryption, theft protection, secure configuration for field use.
SYS.3.2.1–SYS.3.2.4 (Smartphones and Tablets) — platform-specific requirements for iOS, Android and other mobile operating systems.
SYS.3.3 (Mobile Phones) — baseline requirements for classic mobile phones.
INF.9 (Mobile Workplace) — physical security at the mobile workplace: privacy screens, secure storage, behaviour in public spaces.

A.8.2 — Privileged Access Rights: Governs privileged access on endpoints (local admin rights, root access).
A.8.3 — Information Access Restriction: Technical enforcement of access restrictions on endpoints.
A.8.7 — Protection Against Malware: Malware protection is one of the core baseline requirements for endpoints.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.1 — User endpoint devices
ISO/IEC 27002:2022 Section 8.1 — Implementation guidance for user endpoint devices
BSI IT-Grundschutz, SYS.2.1 — General Client

Frequently asked questions

What counts as a user endpoint device under A.8.1?

Laptops, desktops, tablets, smartphones and any device that stores, processes or accesses corporate data. This includes personal devices used for work under a BYOD arrangement.

Do we have to explicitly allow or prohibit BYOD?

ISO 27001 does not prescribe a specific decision, but it requires a documented policy. If BYOD is permitted, additional measures must be defined — such as data separation, mobile device management and remote wipe capability.

How often should endpoints be checked for compliance?

Best practice is automated, continuous checking through an MDM or endpoint management tool. At minimum, a manual sample check should occur quarterly. After every major OS update, re-verify compliance against the baseline.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Facility Manager, HR Manager, Head of IT, IT Security Officer, Legal Counsel, Supply Chain Manager
Informed	All Employees, Asset Owner, Department Head, HR Manager, Head of IT, Incident Response Team, Legal Counsel, Top Management