ISO/IEC 27001:2022 dedicates 34 of its 93 Annex A controls to technological safeguards, with user endpoint devices named explicitly under Control A.8.1. This guide breaks down what certification actually requires at the device level, and how Zecurit Endpoint Manager helps you build the evidence your ISMS and auditors need.
ISO/IEC 27001 is the international standard for an Information Security Management System, first published in 2005 and most recently revised in 2022. Unlike regulations imposed by a government body, ISO 27001 certification is voluntary, but for many organisations it has become a practical requirement: enterprise customers, auditors, and procurement teams increasingly treat it as the baseline evidence that a vendor takes information security seriously.
The 2022 revision restructured Annex A's catalogue of controls from 114 down to 93, organised into four themes: Organisational, People, Physical, and Technological. Technological controls, numbered A.8.1 through A.8.34, form the largest and most technical theme, and this is where IT and security teams will spend most of their implementation effort.
This guide maps ISO 27001's endpoint-relevant Annex A controls to specific capabilities in Zecurit Endpoint Manager, so ISMS managers and IT teams can turn risk-assessment decisions into demonstrable, audit-ready controls.
A handful of terms shape how Annex A is actually used in practice:
Information Security Management System: the overarching, documented framework of policies, processes, and controls an organisation uses to manage information security risk.
The normative catalogue of 93 reference controls organisations evaluate against their risk assessment. Annex A controls are not automatically mandatory; they must be justified by risk.
The single most important ISMS document. It records which Annex A controls are included or excluded, and the justification for each decision.
The companion guidance standard that explains how to implement each Annex A control in detail. Organisations are certified against 27001, not 27002.
The documented plan describing how identified information security risks will be addressed, which controls are selected, and how residual risk is managed.
An independent, accredited organisation that conducts the external audit required to award and maintain ISO 27001 certification, typically renewed on a three-year cycle with annual surveillance audits.
Unlike sector-specific regulations, ISO 27001 is adopted voluntarily across virtually every industry. Common adopters include:
The 2022 revision reorganised Annex A's 93 controls into four themes, replacing the previous 14-domain structure. Endpoint management touches every theme, but does the heaviest lifting within Technological Controls.
Policies, roles, supplier relationships, threat intelligence, and incident management. These set the governance layer that technical controls then enforce.
Screening, employment terms, security awareness training, remote working, and disciplinary processes covering how staff handle sensitive information.
Facility access, equipment security, secure disposal, and physical security monitoring covering tangible assets and premises.
User endpoint devices, access management, malware protection, vulnerability management, logging, monitoring, and secure development, the largest and most technical theme.
The 2022 revision merged and streamlined the previous 114 controls into 93, but more importantly, it added 11 entirely new controls reflecting how organisations actually operate today. Several of these land squarely on endpoint and device management: A.8.1 explicitly names User Endpoint Devices as a standalone control, requiring that information stored on, processed by, or accessible via endpoint devices be protected. A.8.12 introduces Data Leakage Prevention as a named control, and A.5.23 addresses information security for cloud service usage.
Critically, ISO 27001 does not mandate specific products or technologies for any of these controls. Organisations select controls based on risk assessment, then justify their choices, or exclusions, in the Statement of Applicability. In practice, almost every organisation that completes an honest risk assessment of remote and hybrid endpoints finds that A.8.1's protections, and the controls that support it, are necessary rather than optional.
The following sections translate the Annex A controls most directly enforced at the endpoint into the specific Zecurit capabilities that support them.
This control requires that information stored on, processed by, or accessible via user endpoint devices be protected. It is the standard's most direct statement that the endpoint itself, not just the network perimeter, is part of the information security boundary.
Hardware Inventory and Asset Discovery establish continuous visibility into every device accessing organisational information, the precondition for protecting any of it. Configuration Management then enforces consistent security baselines across that device population, giving A.8.1 a concrete, fleet-wide implementation rather than a policy statement alone.
These controls require the allocation and use of privileged access rights to be restricted and managed, paired with secure authentication technologies and procedures appropriate to the access being granted.
Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely and enforce password policy across the fleet. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, with full session logging supporting the access governance these controls require.
Organisations must implement protection against malware, combined with appropriate user awareness. This control sits within the System Operations group and is among the most directly testable technological controls in an external audit.
Security Alerts in the Monitoring and Alerts module notify IT teams the moment antivirus or antimalware protection is disabled on any endpoint, closing the gap between a policy requiring malware protection and verified, continuous enforcement of it across the fleet.
Organisations must obtain information about technical vulnerabilities in systems in use, evaluate their exposure, and take appropriate measures to address the risk in a timely manner. This is consistently one of the most heavily tested controls during certification audits.
Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence. Vulnerability Management maps installed software against known CVEs, giving ISMS owners the timely, evidence-backed vulnerability data A.8.8 requires, and Patch Compliance Reports document that remediation actually happened.
Configurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. Configuration drift is one of the most common ways an otherwise compliant environment quietly falls out of conformance between audits.
Configuration Management lets IT teams define named profiles bundling firewall rules, Windows Update policy, and security hardening settings, then deploy and enforce them consistently across device groups. Hardware and software change alerts detect the moment an endpoint drifts from its approved baseline, giving A.8.9's monitoring and review requirement a continuous, automated implementation.
Information stored on systems or devices must be deleted when no longer required, and measures must be applied to prevent unauthorised disclosure or extraction of sensitive information. Data Leakage Prevention was added as a named control in the 2022 revision specifically to address removable storage and uncontrolled data movement.
Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, and wireless adapters, with BadUSB keystroke injection prevention and policy enforcement that holds even when endpoints are offline. Remote Script Execution can automate scheduled data cleanup across the fleet, supporting both controls from a single platform.
Rules for the effective use of cryptography, including cryptographic key management, must be defined and implemented to protect the confidentiality, authenticity, and integrity of information, in proportion to the risk identified.
BitLocker Management enforces drive encryption across every managed Windows endpoint from a central console, with TPM-only, TPM+PIN, and passphrase authentication modes. Recovery keys are backed up automatically, and BitLocker Compliance Reports identify any unprotected device, giving auditors clear, fleet-wide evidence that the cryptographic controls in your SoA are actually in force.
Logs recording activities, exceptions, faults, and other relevant events must be produced, stored, protected, and analysed. Networks, systems, and applications must be monitored for anomalous behaviour, with appropriate action taken to evaluate potential incidents.
The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns by account, and Device Control logs every connection attempt with a timestamp, building the activity record A.8.15 and A.8.16 expect to see during a surveillance or recertification audit.
Certification and surveillance audits ultimately test whether the controls listed in your Statement of Applicability are operating as described, not just documented. Auditors expect to see evidence, not assertions, and producing that evidence under time pressure is where many otherwise well-run ISMS programmes lose points.
Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for ISO 27001, PCI-DSS, HIPAA, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery automates this evidence on a recurring basis, ready well ahead of your next surveillance audit.
A consolidated reference mapping each endpoint-relevant Annex A control to the relevant Zecurit features, useful for Statement of Applicability documentation and certification audits.
| Annex A Control | Zecurit Endpoint Manager Capability |
|---|---|
| User Endpoint Devices (A.8.1) | Hardware InventoryAsset DiscoveryConfiguration Management |
| Privileged Access / Authentication (A.8.2, 8.5) | User and Group ManagementRole-Based AccessSession Confirmation and Audit |
| Protection Against Malware (A.8.7) | Security AlertsReal-Time Monitoring and Alerts |
| Management of Technical Vulnerabilities (A.8.8) | Patch ManagementVulnerability ManagementCVSS Prioritisation |
| Configuration Management (A.8.9) | Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts |
| Information Deletion / DLP (A.8.10, 8.12) | Device ControlUSB/Removable Storage PoliciesRemote Script Execution |
| Use of Cryptography (A.8.24) | BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports |
| Logging and Monitoring (A.8.15, 8.16) | Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs |
| Audit-Ready Evidence (SoA Support) | 100+ Compliance ReportsISO 27001 Report TemplatesScheduled Report Delivery |
ISO 27001 deliberately avoids prescribing specific tools, asking organisations instead to justify their control choices through risk assessment. But across thousands of certification audits, the same pattern holds: weak endpoint visibility, missing patches, unencrypted drives, and unmonitored removable media are consistently where well-intentioned ISMS programmes lose points.
With user endpoint devices now named explicitly under Annex A 8.1, and the rise of remote and hybrid work expanding the device population auditors will examine, building strong endpoint discipline is no longer a nice-to-have alongside certification. It is the evidence base certification rests on.
Zecurit Endpoint Manager addresses the Annex A technological controls that matter most at the device level, from a single lightweight agent and unified console, giving ISMS managers and IT teams the patch management, encryption, device control, and audit-ready reporting your certification body expects to see, without assembling evidence from a dozen disconnected tools before the auditor arrives.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your ISO 27001 certification programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit