How to write an easy-to-use BYOD policy compliant with ISO 27001
One would expect that ISO 27001, the leading information security standard, would have strict requirements regarding BYOD. However, you would be surprised – such requirements do not exist, and what’s more, neither BYOD nor Bring Your Own Device is ever mentioned in the standard.
BYOD is, of course, unavoidable in a modern company, so how do you make yourself compliant with ISO 27001?
ISO 27001 controls applicable to BYOD
First, let’s see which ISO 27001 controls are the closest to BYOD.
A.6.2.1 Mobile device policy – this control requires development of a security policy for using mobile devices in order to reduce risks. Therefore, the BYOD policy must be based on identified risks.
A.6.2.2 Teleworking – since employees’ personal mobile devices are used not only in company offices, but also at home, this control is also applicable for BYOD. The control requires the implementation of security measures for information access, processing, and storage – this means that the BYOD policy must cover all of those three areas.
A.13.2.1 Information transfer policies and procedures – this control requires writing documentation for the protection of information that is transferred through any communication equipment, including employees’ personal mobile devices. So, if you didn’t write separate policies or procedures for information transfer, you can cover these requirements in the BYOD policy.
A.13.2.3 Electronic messaging – again, if you didn’t define through some other document how electronic messages will be protected, then the BYOD policy is the right place to do it.
There are some other controls that are not so directly related to BYOD, like A.8.1.3 Acceptable use of assets (defining rules on how each asset is to be used), A.8.2.3 Handling of assets (defining rules on which protection measures are to be used according to information classification), and at least a dozen other controls. However, I think the four controls I listed above are the most relevant in terms of BYOD, so let’s focus on them.
How to structure the BYOD policy
Creating a 20-page policy with detailed rules that will cover every security detail might seem attractive to you, but believe me, it’s not going to work.
When starting to write this policy, you should keep the main goal in mind: to change the behavior of the BYOD users in your company. And, if you want to change someone’s behavior, especially if this change involves the hassle of using some additional security rules, then you need to make the rules easily understandable and short. See also: Seven steps for implementing policies and procedures.
So, from the perspective of the ISO 27001 controls I listed above, in your BYOD policy you should cover the following:
- Reference to main risks that were identified for the usage of personal devices;
- Description of access controls that need to be used for personal devices;
- Definition of which apps are mandatory, which are allowed, and which are not allowed for the processing and storage of company data;
- Which services are allowed for storing the company data;
- How the backup is done, how often, and where;
- Which networks the users are allowed to connect to, and which protection they must use when transferring data and/or messages;
- Which types of messages are not allowed;
- Which channels and services are not allowed;
- Guidelines for physical protection of the device.
The following items would be useful in the BYOD policy as well:
- Definition of who owns the data that is stored on personal devices;
- List of people / job titles that are allowed, or not allowed to use personal devices;
- List of particular devices that are / are not allowed for usage;
- Special rights of the company for accessing the data on personal devices (there are various types of mobile device management software through which you can remotely access, edit, and delete the data on the mobile devices);
- Whether the employees will be reimbursed for the usage of their own devices;
- How the security breaches will be reported and handled;
- Who is responsible for the employee training for the usage of BYOD.
Develop your BYOD policy wisely
So, to conclude, although ISO 27001 is not very focused on the Bring Your Own Device concept, taking its appropriate controls can be quite helpful when writing the BYOD policy. And remember: documents are not important; changing the people’s behavior is. Therefore, keep your documents short and simple.
Click here to see a free demo of a BYOD Policy that is compliant with ISO 27001.