BYOD Security for ISO 27001

In this article, you will discover:

• What is ISO 27001 and BYOD
• Risks associated with BYOD
• BYOD Security requirements in ISO 27001
• BYOD Tools and which one should you use

What’s ISO 27001?

ISO 27001 is the globally recognized standard for information security management systems (ISMS), providing companies of any size and from all sectors with a systematic and structured approach to managing and protecting sensitive information. 

It employs a Plan-Do-Check-Act (PDCA) cycle and provides a framework for organizations to:

• Identify and assess information security risks
• Implement control to mitigate risks
• Monitor and review the effectiveness of of those controls on an ongoing basis

More information about ISO 27001 can be found in this article.

What’s BYOD?

Bring Your Own Device (BYOD) is an IT policy that permits employees to use their personal mobile devices, such as smartphones, tablets, and laptops, to access company data and systems. This trend has rapidly gained traction, particularly with the surge in remote work following the COVID-19 pandemic. BYOD offers employees greater flexibility, enhances job satisfaction, and saves cost for organizations.

What are Risks Related to BYOD?

While BYOD policies can offer cost savings and boost employees’ satisfaction, they can also come with various challenges that need to be addressed proactively to protect your business data. Being aware of these challenges enables organizations to address them effectively, thereby enhancing the overall efficiency of their BYOD initiatives. 

BYOD presents multiple risks:

• Shadow IT: Employees may use unauthorized hardware or software without IT department oversight, such as unapproved USB drives or consumer-grade software, potentially increasing security vulnerabilities.
• Lack of Uniformity: Employee devices can have varied operating systems (iOS, Android, ChromeOS, etc), which can complicate collaboration and management efforts.
• Data Leaks: Misuse of information by employees or device theft can lead to data breaches.
• Malware: Increased exposure to malware due to the absence of control over the applications installed by employees on their personal devices.
• Compliance Violations: Non-compliance with privacy laws like GDPR or healthcare regulations such as HIPAA can result in loss of trust and hefty fines. Storing sensitive data on personal devices also poses risks like inadequate security and accidental sharing. Additional details regarding GDPR and HIPAA compliance can be found here and here.
• Legal Issues: Unauthorized searches of employee devices for company data can raise legal concerns, including privacy rights, accidental removal of personal data, and handling of company data seized by law enforcement. Failure to address these issues through clear BYOD policies can lead to legal disputes and significant expenses for the company.

BYOD Security for ISO 27001

While ISO 27001 does not explicitly mention BYOD, numerous controls closely align with BYOD concerns, emphasizing the secure use of personal devices and data protection. 

Here are some relevant Annexes in ISO 27001:2013:

A.6.2.2 Teleworking (A.6.7 Remote Working in 2022 Version)

Given that employees may use their personal mobile devices outside of office premises, this control applies to BYOD. Your organization’s BYOD policy should mandate the implementation of security measures for accessing, processing, and storing information.

A.13.2.1 Information Transfer Policies and Procedures

This control requires the documentation of measures for safeguarding information transferred via any communication equipment, including employees’ personal mobile devices. Therefore, if you haven’t created separate policies or procedures for information transfer, these requirements can be incorporated into your BYOD policy.

A.13.2.3 Electronic Messaging

Similarly, if protocols for protecting electronic messages have not been specified in other documents, your BYOD policy is the appropriate avenue for addressing this aspect.

Updates to ISO 27001 in October 2022 included Annex A 8.1, which replaced the previous Mobile Device Policy (ISO 27001:2013 Annex A 6.2.1), requiring organizations to create a policy addressing user endpoint device configuration and handling.

ISO 27001:2022 Annex A 8.1 provides additional recommendations for organizations permitting the use of personal devices for work-related tasks:

1. Employ software tools to segregate personal and work activities on devices, ensuring the security of organizational information. Features like Containerization in MDM tools can help achieve this effectively, as discussed below.

2. Employees should consent to certain conditions to access their personal devices, including:
   • Acknowledging their responsibility for physically safeguarding devices and performing essential software updates.
   • Agreeing not to claim ownership rights over the company’s data.
   • Agreeing that data on the device can be remotely wiped if lost or stolen, aligning with legal guidelines for personal information protection. This functionality is integral to MDM tools.

3. Establish guidelines regarding the rights to intellectual property generated using user endpoint devices.

4. Address statutory restrictions on personnel’s access to private devices and how to manage such access.

5. Permitting staff to use personal devices may entail legal liabilities due to third-party software applications. Companies should review their software licensing agreements with providers to mitigate risks.

BYOD Security Tools

There are some technical tools available to help organizations achieve the BYOD requirements in ISO 27001:

Mobile Device Management (MDM)

One of the most commonly employed BYOD solutions is Mobile Device Management (MDM). 

• Scope: focuses solely on mobile devices and their security.
• Key MDM features:
  • Zero-Touch Enrollment: Devices get enrolled with MDM as soon as they are activated.
  • Device Configurations: MDM software can disable copy-paste, screenshot capture, clipboard, Bluetooth, removable media, and other wireless sharing features. Furthermore, administrators can block unapproved file-sharing apps to restrict data sharing.
  • Device and Data Security: MDM tools can enforce various security measures, such as encryption, using strong passwords, regular backups, user authentication and so on, to safeguard the device and its data.
  • Remote Device Locking & wiping and Maintenance: Lost or stolen devices can be locked and wiped remotely. Device updates and troubleshooting can also be done over the air.
  • Containerization: create secure “containers” for corporate data & apps separate from personal data, with data encryption & authorization.
  • Policy Enforcement: Companies can pre-determine configurations, restrictions and applications and mass-deploy these policies on multiple devices, streamlining device management.
  • Location Tracking: Administrators can view the current location as well as historical location data of devices.
  • Application and Content Management: MDM facilitates centralized management of all mobile content, ensuring applications are consistently updated and readily accessible to employees as needed.
  • Audit & Compliance Reporting: MDM can provide automated loggings, compliance reporting and dashboards to track device compliance with security frameworks like ISO 27001 and organizational policies.

For a more comprehensive understanding of MDM, please see this article.

Enterprise Mobility Management (EMM)

EMM is an expansion of MDM, offering a wider range of functionalities and capabilities.

• Scope:
  • Covers the entire mobile ecosystem within an organization, including application, content and identity management.
  • Explicitly designed for managing apps and content on mobile devices, not suitable for MAC or Windows management.
• Key EMM features: EMM solutions encompass all MDM features and some additions:
  • Mobile Application Management (MAM) focuses mainly on managing applications. It allows for distribution, security, updating and configuring of software running on mobile devices. 
  • Mobile Content Management (MCM) enables secure access to corporate content and data on all endpoints. It can push, access, store, and distribute content from the company’s internal repository in a secure manner.
  • Identity and Access Management (IAM) facilitates user authentication and enforces policy-based rights and permissions. It enables IT teams to categorize users into groups, each group having predefined permissions and restrictions. 

Unified Endpoint Management (UEM)

UEM combines the capabilities of both MDM and EMM solutions while introducing advanced features to offer holistic monitoring, management, and security for all endpoints.

• Scope:
  • Manages other endpoints beyond mobile devices, including PCs, rugged devices, IoT devices, wearables, etc through a single console.

• Key UEM features: UEM solutions include MDM and EMM functionalities and some additions:
  • Centralized Management Console, with complete visibility into the IT environment and on any asset
  • Software and OS Deployment: Enables automated deployment of software and operating systems across the organization’s network from a central console, limiting manual intervention.
  • Patch Management and Update Installation: Automatically scans endpoints for software, firmware or vulnerabilities and applies patches swiftly to fix vulnerabilities across all network endpoints.
  • Threat Detection and Mitigation: Integrates with Endpoint Detection And Response (EDR) and other security technologies to identify abnormal device behaviors indicative of ongoing or potential threats, triggering appropriate security actions.
  • Seamless Integration With Other Tools: Integrates effortlessly with helpdesk software, productivity and collaboration tools, and enterprise mobility solutions for enhanced efficiency and a unified IT environment.

Which BYOD Solution is Right for My Business?

Choosing between Mobile Device Management (MDM), Enterprise Mobility Management (EMM), or Unified Endpoint Management (UEM) depends on several factors, including business requirements, device management, security needs, integration, and cost considerations.

When to Choose MDM?

MDM is ideal for businesses with relatively simple IT systems but a large fleet of mobile devices requiring ongoing management. Educational institutions and small businesses managing mobile devices for basic tasks benefit from MDM’s cost-effectiveness and simplicity.

When to Choose EMM?

EMM suits environments with diverse devices and operating systems (iOS, Android, Linux, ChromeOS). It offers advanced application and content management features suitable for organizations with specialized applications and sensitive data, like mid-sized financial services firms.

When to Choose UEM?

UEM is the ultimate solution for managing any endpoint, real or virtual, regardless of device or operating system. It’s ideal for businesses with large and growing device landscapes, distributed workforces, and stringent security requirements. UEM offers scalability, adaptability, and future-proofing capabilities, making it a top choice for organizations undertaking digital transformations.

Sign up for Agency today and find more about BYOD Security for your organization.