What is a BYOD policy, and how can you easily write one using ISO 27001 controls?

One would expect that ISO 27001, the leading information security standard, would have strict requirements regarding BYOD. However, you would be surprised – such requirements do not exist, and what’s more, BYOD is ever mentioned in the standard.

BYOD is, of course, unavoidable in a modern company, so how do you make yourself compliant with ISO 27001?

Some of the items to cover in your BYOD policy:
  • Reference to main risks that were identified for the usage of personal devices
  • Description of access controls that need to be used for personal devices
  • Definition of which apps are mandatory, which are allowed, and which are not allowed for the processing and storage of company data

What does BYOD mean?

BYOD stands for Bring Your Own Device, referring to a trend where employees make use of their own personal devices (e.g., smartphones, laptops, tablets, USB drives, etc.) to connect to their employers’ organizations’ networks and information systems.

Why do companies use BYOD?

Main reasons for to adopting BYOD in companies are related to:

  • reduction of costs to provide devices to employees, since they are using their own
  • increase in productivity, since employees are more familiar with their own devices, which sometimes perform better than the devices provided by the organization
  • increase in the number of mobile and freelance workers, which commonly have the expectation to be able to work anytime and from anywhere

What are the risks of BYOD?

Main risks related to the adoption of BYOD are:

  • lack of monitoring and supervision by IT
  • data leak, related to misuse of information by the employee, or due to device theft
  • increased exposure to malware, due to lack of control of which applications employees install on their own devices
  • violation of compliance requirements, especially related to privacy laws and regulations like the GDPR

What is a BYOD policy, and why do companies need one?

To achieve the benefits of BYOD, while minimizing the potential risks of information compromise, organizations define rules for the use of personal devices in the workplace in documents commonly called a BYOD policy.

By adopting and communicating a BYOD policy, organizations define boundaries for access and use of personal devices, as well as potential consequences to employees for the misuse of information and damages to the organization’s networks and information systems.

ISO 27001 controls applicable to BYOD

First, let’s see which ISO 27001 controls are the closest to BYOD.
A.6.2.1 Mobile device policy – this control requires development of a security policy for using mobile devices in order to reduce risks. Therefore, the BYOD policy must be based on identified risks.

A.6.2.2 Teleworking – since employees’ personal mobile devices are used not only in company offices, but also at home, this control is also applicable for BYOD. The control requires the implementation of security measures for information access, processing, and storage – this means that the BYOD policy must cover all of those three areas.

A.13.2.1 Information transfer policies and procedures – this control requires writing documentation for the protection of information that is transferred through any communication equipment, including employees’ personal mobile devices. So, if you didn’t write separate policies or procedures for information transfer, you can cover these requirements in the BYOD policy.

A.13.2.3 Electronic messaging – again, if you didn’t define through some other document how electronic messages will be protected, then the BYOD policy is the right place to do it.

There are some other controls that are not so directly related to BYOD, like A.8.1.3 Acceptable use of assets (defining rules on how each asset is to be used), A.8.2.3 Handling of assets (defining rules on which protection measures are to be used according to information classification), and at least a dozen other controls. However, I think the four controls I listed above are the most relevant in terms of BYOD, so let’s focus on them.

BYOD Policy | What is it & how to write it using ISO 27001

How to structure the BYOD policy

Creating a 20-page policy with detailed rules that will cover every security detail might seem attractive to you, but believe me, it’s not going to work.

When starting to write this policy, you should keep the main goal in mind: to change the behavior of the BYOD users in your company. And, if you want to change someone’s behavior, especially if this change involves the hassle of using some additional security rules, then you need to make the rules easily understandable and short. See also: Seven steps for implementing policies and procedures.

So, from the perspective of the ISO 27001 controls I listed above, in your BYOD policy you should cover the following:

  • Reference to main risks that were identified for the usage of personal devices;
  • Description of access controls that need to be used for personal devices;
  • Definition of which apps are mandatory, which are allowed, and which are not allowed for the processing and storage of company data;
  • Which services are allowed for storing the company data;
  • How the backup is done, how often, and where;
  • Which networks the users are allowed to connect to, and which protection they must use when transferring data and/or messages;
  • Which types of messages are not allowed;
  • Which channels and services are not allowed;
  • Guidelines for physical protection of the device.

The following items would be useful in the BYOD policy as well:

  • Definition of who owns the data that is stored on personal devices;
  • List of people / job titles that are allowed, or not allowed to use personal devices;
  • List of particular devices that are / are not allowed for usage;
  • Special rights of the company for accessing the data on personal devices (there are various types of mobile device management software through which you can remotely access, edit, and delete the data on the mobile devices);
  • Whether the employees will be reimbursed for the usage of their own devices;
  • How the security breaches will be reported and handled;
  • Who is responsible for the employee training for the usage of BYOD.

Develop your BYOD policy wisely

So, to conclude, although ISO 27001 is not very focused on the Bring Your Own Device concept, taking its appropriate controls can be quite helpful when writing the BYOD policy. And remember: documents are not important; changing the people’s behavior is. Therefore, keep your documents short and simple.

To use a wizard to build your BYOD policy, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.