Guest user Created: Aug 12, 2019 Last commented: Aug 12, 2019

Employee private devices

Should we include the (private) devices (mobile phones) of our employees in the asset register? In the scope document we have referenced that all assets in the asset register are within the scope. The employees access e-mails via the outlook app and therefore have information of the company on their devices. Is there any up/downside to adding the mobile devices? It would be around 20 devices.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 12, 2019

Answer:

By including private devices in your asset register would mean that all information on them (both company and private) would have to be treated according company security rules, and this will add unnecessary effort and complexity to your ISMS (because users' private data).

A better approach would be not include the private devices in your asset register and identify the risk that business data can be accessed by private devices. This way you can focus on protecting only the business data, and this can be done by means of implementing a BYOD policy.

This article will provide you further explanation about managing private devices:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 12, 2019

Expert Advice Community