Controls and Clauses Related to BYOD

Hi Ravi

All questions are good questions if they allow you to better understand.

The first issue is that ISO 27001 is not the good place to look, as your question has no relation with the ISMS processes, but with the controls in Annex A. You need to go to ISO 27002 that explains how to implement these controls. In your situation, it is highly recommended to read ISO 27002.

You could have a look at this blog post : ISO 27001 vs. ISO 27002 (https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

1)     There are, sadly, no controls on BYOD (understanding ‘personal electronic devices brought at work’) in ISO 27002. You can’t easily control it. The explanation in clause 6.2.1 (Mobile device policy) in ISO 27002 would help you further.

2)     The only approach from ISO 27001 is risk management and defining the adequate policy. E.g.:

No classified information will be transmitted to and from BYOD equipment.
The use of BYOD to take pictures, audio and video recording must be authorised by the management.
The company will install software on mobile devices enabling it to delete the company information remotely.

3)     Risk management approach is described in ISO 27005. The main risks are: there comes ‘professional’ information on a non controlled device through received emails, photos, videos and audio recording. Then: who may access this information around the user and what if it’s lost or stolen?

Finally, you’re right it’s not a mandatory control. This blog post gives the point : List of mandatory documents required by ISO 27001 (2013 revision) - https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/