A.8.1 User Endpoint Devices

What is this control?

ISO 27001 control A.8.1 User endpoint devices requires companies to ensure that information processed by, stored on, or accessed through user devices is properly protected. This is important because almost all sensitive information can be accessed. This clause addresses the security risks associated with endpoint devices such as laptops, smartphones, tablets, and other user-operated hardware that connect to organizational systems.

These devices are often mobile, diverse, and harder to control, making them vulnerable to threats like unauthorized access, data loss, or theft.

How to implement in Microsoft 365

Implementing ISO 27001 Annex A 8.1 (User endpoint devices) involves establishing a topic-specific Endpoint Security Policy and enforcing technical controls to protect information stored on, processed by, or accessible via laptops, desktops, mobiles and tablets. Define scope (corporate and BYOD), register all devices in an asset inventory, and require hardening baselines (encryption at rest, anti‑malware/EDR, personal firewall, screen lock, auto‑patching). Manage devices through MDM/endpoint management (e.g., Intune) with compliance policies for OS versions, encryption, tamper protection and jailbreak/root detection.

Restrict software installation to approved apps, control removable media, and require secure network use (VPN where needed). Enable remote wipe/lock for loss/theft, back‑ups where applicable, and apply access controls (MFA, conditional access) tied to device compliance. Provide user guidance for handling, travel and storage; include BYOD rules and privacy notices.

Monitor device posture and logs, remediate promptly, and review the policy and controls periodically based on risk and incidents.

What an auditor looks for

Auditors will look for a documented Endpoint Security/Acceptable Use Policy covering device registration, configuration standards, encryption, malware protection, patching, software restrictions, removable media, remote wipe/lock, network use and BYOD rules. They will sample devices and MDM/endpoint management dashboards to verify enforcement (e.g., encryption enabled, EDR active, up‑to‑date patches, compliant OS versions) and check asset inventory accuracy. They will review conditional access or equivalent controls that restrict access to sensitive services to compliant devices, examine logs and alerts for device non‑compliance or loss/theft, and confirm incident response actions (e.g., remote wipe).

Evidence of user awareness communications, periodic reviews, and exceptions handled through risk acceptance/change control is expected.