Bring Your Own Device 

Bring Your Own Device 

I read an earlier, but interesting article that points to the risk associated with using your own devices. There is hardly any information security risk that is not covered by an ISO 27001 Annex A control. In some cases, there is even more than one control that is related to handling a certain risk. Although there is no control, that mentions the use of own devices (BYOD) explicitly, there are two of them, the implementation of which may include own device controls:  

  • “Off-site assets should be protected.” (A7.9) 
  • “Information stored on, processed by or accessible via user endpoint devices should be protected.” (A8.1) 

Two of the most typical characteristics of own devices are that they are endpoint devices and are typically used off premises. As these devices are typically outside the scope of the corporate mobile device management solution, organizations have to define and document their approach to the use of workforce members’ own devices for business purposes. If this is allowed, usage rules shall cover  

  • what is allowed to be done using private devices (smartphones, computers) and 
  • minimum required protection of the device. 

The above article was written long before the COVID era, but the author drew attention to the risks of working outside office environments even then. The message is clear and even more timely today than years ago: it carries risks if companies allow the use of workforce members’ own computers (sometimes with inadequate protection against malicious code) to access important company information.