The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document sets out the organization’s policy with respect to corporately provided mobile devices.
Areas of the standard addressed
The following areas of the ISO/IEC 27001 standard are addressed by this document:
• A.5 Organizational controls
o A.5.1 Policies for information security
• A.7 Physical controls
o A.7.9 Security of assets off-premises
• A.8 Technological controls
o A.8.1 User endpoint devices
General guidance
This policy should be provided to all technical personnel, employees and other interested parties who manage or use organization-provided mobile devices.
You may need to add additional detail to this document depending on your technical environment. You will also need to update it as technology changes.
Review frequency
We would recommend that this document is reviewed annually and upon significant change to the organization.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Mobile Device Policy [Insert classification]
Mobile Device Policy
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF ISMS-DOC-A08-1-1
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
date]
Revision history
Distribution
Approval
1 Introduction
Mobile computing is an increasing part of everyday life, as devices become smaller and more powerful the number of tasks that can be achieved away from the office grows. However, as the capabilities increase so do the risks. Security controls that have evolved to protect the static desktop environment are easily bypassed when using a mobile device outside of the confines of an office building.
Mobile devices (also commonly referred to as “user endpoint devices”) include items such as:
• Laptops
• Notebooks
• Tablet devices
• Smartphones
• Smart watches
The purpose of this policy is to set out the controls that must be in place to secure each step in the lifecycle of a mobile device, including when employees are using mobile devices provided by [Organization Name]. It is intended to mitigate the following risks:
• Loss or theft of mobile devices, including the data on them
• Compromise of classified information held or accessed via a mobile device
• Introduction of viruses and malware to the network
• Loss of reputation caused by incidents relating to a mobile device
It is important that the controls set out in this policy are always observed in the provision, use and transport of mobile devices. The use of personally owned mobile devices to access corporate data is addressed separately in the BYOD Policy.
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The intended audience for this policy is employees responsible for the setup of companyprovided mobile devices within [Organization Name].
Failure to comply with the contents of this policy may result in disciplinary action being taken by [Organization Name] against the individual(s) concerned.
Terms used in this policy are defined as follows:
• Classification of information means the process of organizing data into categories that reflect its level of sensitivity and the security measures required to protect it.
• Firmware is a specific type of software that provides low-level control for a device's specific hardware.
• TPM (Trusted Platform Module) means a specialized chip on an endpoint device that stores encryption keys specific to the host system for hardware authentication.
• Biometrics means the measurement and statistical analysis of people's unique physical and behavioural characteristics.
• Due diligence means a comprehensive appraisal of a business or individual prior to signing a contract, or an act with a certain standard of care.
• Zero-touch means automation technologies and processes that eliminate the need for human intervention in the setup, configuration, and management of systems or services.
• Multi-factor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
The following ISMS documents and external references are relevant to this document:
• BYOD Policy
• Access Control Policy
• Remote Working Policy
• User Access Management Process
• Cryptographic Policy
2 Mobile device policy
2.1 Selection and sourcing of mobile devices
Mobile devices must remain within support from the vendor so that security updates are made available on a regular basis. Devices that are out of support must not be used and must be replaced as soon as possible.
Expected or published support periods must be considered when choosing a mobile device model to be purchased and deployed.
The requirements for mobile devices must be clearly defined, including the form factor, software that the device must run and classification of information that it will store or access.
Security must be considered when selecting a mobile device to be used within the organization, including the following factors:
• Whether a device is available in a more secure version for use within enterprises, rather than by consumers, or is part of a security certification program
• Frequency and mechanism by which updates are released by the vendor, including firmware updates if applicable
• Availability of hardware-based security tools such as TPM (Trusted Platform Module) and hardware-backed keystores
• Vendor software tools available for the management of mobile devices
• Compatibility with mobile device management (MDM) software either in current or planned use by the organization
• The security reputation of the hardware vendor, if separate to the software vendor (for example in the case of many Android devices)
• Security features available on the device, such as biometrics
Mobile devices must only be sourced from reputable vendors which have been the subject of a due diligence exercise within [Organization Name].
2.2 Mobile device provisioning
Where possible, a zero-touch approach (for example via Apple Business Manager or Windows Autopilot) should be taken to the enrolment of mobile devices to reduce the administrative setup involved and increase the security of the delivered devices.
Where zero-touch enrolment is not possible (for example if firmware settings need to be configured), setup tasks should only be performed by appropriately qualified administrators.
Only in exceptional circumstances should device enrolment be carried out by the end user.
Procedures for device provision and enrolment must be tested to ensure that security requirements are met.
Where enrolment credentials need to be distributed to users, this must be achieved via an appropriately secure channel.
Time limits must be set within which device enrolment should have taken place, and all failures investigated.
2.3 Mobile device management
A mobile device management (MDM) service will be used to provide the capability to implement policies on device configuration, define permitted software installation, monitor device status and take remote actions such as device wiping, among other features.
Access to the MDM service will be controlled according to [Organization Name] policies, including the use of multi-factor authentication where possible.
The MDM service will ideally allow the management of all types of mobile devices in use within the organization. Any exceptions will be subject to technical and security review and management approval.
Regular monitoring must be performed of the compliance of mobile devices with defined policies, and cases of non-compliance investigated promptly.
User applications will be provided from a defined store and provision made to ensure that these apps are regularly updated from an appropriate source (for example the app vendor or an external update service).
2.4 Mobile device security
The configuration of mobile devices will be controlled from a central point using the MDM service.
2.4.1 Device compliance
Compliance policies will be defined for each type of device (for example Windows, iOS) under management to include the following:
• Device health, such as use of encryption
• Device properties, such as OS version
• System security, including password rules and use of security features including firewall and antivirus
Compliance of mobile devices against these policies will be monitored, and instances of noncompliance investigated with the intention of bringing devices back into the required state.
Where available, conditional access capabilities within the MDM service should be used to further reduce risk to the organization.
2.4.2 Device configuration
One or more device configuration profiles will be created for each type of mobile device to enforce the security policies of [Organization Name]. Due consideration will be given to available template profiles (such as security baselines) recommended by best practice bodies such as device and software vendors, government security agencies and industry bodies.
The specifics of the configuration required will vary by device type, but will typically include:
• Use of encryption (for example full disk encryption)
• Browser settings
• Use of biometrics (for example fingerprint and face recognition)
• Network settings (for example Wi-Fi and VPN)
• Device lock
• Firewall settings
• Access to applications
• Use of cloud services
• Power
• Threat protection
• Software updates
• Connection of peripherals (for example USB storage devices)
• [Add further areas to be covered]
Success in synchronising devices with their required configuration profiles must be monitored and failures investigated and resolved as soon as possible.
2.5 Deprovisioning mobile devices
A mobile device may need to be deprovisioned for a number of reasons, including loss or theft, reaching the end of its supported life, or needing to be returned to the manufacturer.
In most cases this will be achieved using the remote wipe capability of the MDM service. This should be carried out as soon as possible after the requirement is identified (for example the device being reported as lost).
If appropriate, a backup of the device should be taken before it is wiped.
Devices that are no longer required must be destroyed in accordance with documented procedures for the secure disposal of media.
