Compliance Guide

ISO 27001 Compliance for Endpoints

A Practical Guide to Annex A's Technological Controls for Certified Organisations

ISO/IEC 27001:2022 dedicates 34 of its 93 Annex A controls to technological safeguards, with user endpoint devices named explicitly under Control A.8.1. This guide breaks down what certification actually requires at the device level, and how Zecurit Endpoint Manager helps you build the evidence your ISMS and auditors need.

Published byZecurit
CategoryCompliance & Regulation
AudienceIT Teams, ISMS Managers, Security Officers

Why Annex A Puts the Endpoint at the Centre of Certification

At a Glance
  • Who pursues it: Any organisation seeking to demonstrate a managed, auditable approach to information security, often as a precondition for enterprise sales or regulatory alignment.
  • What the standard requires: ISO/IEC 27001:2022 requires an Information Security Management System (ISMS) and a risk-justified selection of controls from Annex A's 93-control catalogue.
  • Why endpoints matter now: Annex A 8.1 names user endpoint devices explicitly, and Microsoft has reported that 80 to 90 percent of successful ransomware attacks originate from unmanaged devices.
  • How Zecurit helps: Patch and vulnerability management, BitLocker encryption, device control, configuration management, and audit-ready compliance reporting from a single agent and console.

ISO/IEC 27001 is the international standard for an Information Security Management System, first published in 2005 and most recently revised in 2022. Unlike regulations imposed by a government body, ISO 27001 certification is voluntary, but for many organisations it has become a practical requirement: enterprise customers, auditors, and procurement teams increasingly treat it as the baseline evidence that a vendor takes information security seriously.

The 2022 revision restructured Annex A's catalogue of controls from 114 down to 93, organised into four themes: Organisational, People, Physical, and Technological. Technological controls, numbered A.8.1 through A.8.34, form the largest and most technical theme, and this is where IT and security teams will spend most of their implementation effort.

Why Endpoints Carry Outsized Risk: A 2025 survey of managed service providers found that 92 percent of remote workers used personal tablets or smartphones for work tasks, and nearly half had saved a work file on those devices. With most successful ransomware attacks originating from unmanaged endpoints, Annex A 8.1's focus on user endpoint devices is not a formality. It addresses where breaches actually start.

This guide maps ISO 27001's endpoint-relevant Annex A controls to specific capabilities in Zecurit Endpoint Manager, so ISMS managers and IT teams can turn risk-assessment decisions into demonstrable, audit-ready controls.

Key Terminology Under ISO 27001

A handful of terms shape how Annex A is actually used in practice:

  • ISMS

    Information Security Management System: the overarching, documented framework of policies, processes, and controls an organisation uses to manage information security risk.

  • Annex A

    The normative catalogue of 93 reference controls organisations evaluate against their risk assessment. Annex A controls are not automatically mandatory; they must be justified by risk.

  • Statement of Applicability (SoA)

    The single most important ISMS document. It records which Annex A controls are included or excluded, and the justification for each decision.

  • ISO/IEC 27002

    The companion guidance standard that explains how to implement each Annex A control in detail. Organisations are certified against 27001, not 27002.

  • Risk Treatment Plan

    The documented plan describing how identified information security risks will be addressed, which controls are selected, and how residual risk is managed.

  • Certification Body

    An independent, accredited organisation that conducts the external audit required to award and maintain ISO 27001 certification, typically renewed on a three-year cycle with annual surveillance audits.

Who Pursues ISO 27001 Certification?

Unlike sector-specific regulations, ISO 27001 is adopted voluntarily across virtually every industry. Common adopters include:

  • SaaS and technology vendors selling into enterprise and government accounts
  • Managed service providers and IT outsourcing firms
  • Financial services and fintech companies supplementing sector-specific regulation
  • Healthcare technology vendors operating alongside HIPAA or similar frameworks
  • Professional services firms handling client confidential data
  • Manufacturing and supply chain companies with intellectual property to protect
  • Cloud and data centre operators
  • Any organisation responding to a customer or partner's vendor security questionnaire
Commercial Exposure: ISO 27001 carries no statutory fines, but the practical cost of non-conformance is losing deals. Increasingly, enterprise procurement and vendor risk teams require current certification as a contractual precondition, and a failed or lapsed certification can stall renewals, block new business, and trigger costly remediation projects under deadline pressure.

The Four Annex A Themes

The 2022 revision reorganised Annex A's 93 controls into four themes, replacing the previous 14-domain structure. Endpoint management touches every theme, but does the heaviest lifting within Technological Controls.

A.5 — 37 Controls

Organisational Controls

Policies, roles, supplier relationships, threat intelligence, and incident management. These set the governance layer that technical controls then enforce.

A.6 — 8 Controls

People Controls

Screening, employment terms, security awareness training, remote working, and disciplinary processes covering how staff handle sensitive information.

A.7 — 14 Controls

Physical Controls

Facility access, equipment security, secure disposal, and physical security monitoring covering tangible assets and premises.

A.8 — 34 Controls

Technological Controls

User endpoint devices, access management, malware protection, vulnerability management, logging, monitoring, and secure development, the largest and most technical theme.

The 2022 Revision and What It Means for Endpoint Controls

Current Status: ISO/IEC 27001:2022 is the current active version of the standard. Organisations certified under the 2013 edition have a defined transition period to migrate their ISMS and Statement of Applicability to the 2022 control set, after which the older certification is no longer valid.

The 2022 revision merged and streamlined the previous 114 controls into 93, but more importantly, it added 11 entirely new controls reflecting how organisations actually operate today. Several of these land squarely on endpoint and device management: A.8.1 explicitly names User Endpoint Devices as a standalone control, requiring that information stored on, processed by, or accessible via endpoint devices be protected. A.8.12 introduces Data Leakage Prevention as a named control, and A.5.23 addresses information security for cloud service usage.

Critically, ISO 27001 does not mandate specific products or technologies for any of these controls. Organisations select controls based on risk assessment, then justify their choices, or exclusions, in the Statement of Applicability. In practice, almost every organisation that completes an honest risk assessment of remote and hybrid endpoints finds that A.8.1's protections, and the controls that support it, are necessary rather than optional.

Annex A Technological Controls Mapped to Zecurit Endpoint Manager

The following sections translate the Annex A controls most directly enforced at the endpoint into the specific Zecurit capabilities that support them.

Control 01

User Endpoint Devices

Annex A 8.1

This control requires that information stored on, processed by, or accessible via user endpoint devices be protected. It is the standard's most direct statement that the endpoint itself, not just the network perimeter, is part of the information security boundary.

Zecurit Endpoint Manager

Hardware Inventory and Asset Discovery establish continuous visibility into every device accessing organisational information, the precondition for protecting any of it. Configuration Management then enforces consistent security baselines across that device population, giving A.8.1 a concrete, fleet-wide implementation rather than a policy statement alone.

Hardware InventoryAsset DiscoveryConfiguration Management
Control 02

Privileged Access Rights and Identity Management

Annex A 8.2, 8.5

These controls require the allocation and use of privileged access rights to be restricted and managed, paired with secure authentication technologies and procedures appropriate to the access being granted.

Zecurit Endpoint Manager

Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely and enforce password policy across the fleet. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, with full session logging supporting the access governance these controls require.

User and Group ManagementRole-Based AccessSession Confirmation and Audit
Control 03

Protection Against Malware

Annex A 8.7

Organisations must implement protection against malware, combined with appropriate user awareness. This control sits within the System Operations group and is among the most directly testable technological controls in an external audit.

Zecurit Endpoint Manager

Security Alerts in the Monitoring and Alerts module notify IT teams the moment antivirus or antimalware protection is disabled on any endpoint, closing the gap between a policy requiring malware protection and verified, continuous enforcement of it across the fleet.

Security AlertsReal-Time Monitoring and Alerts
Control 04

Management of Technical Vulnerabilities

Annex A 8.8

Organisations must obtain information about technical vulnerabilities in systems in use, evaluate their exposure, and take appropriate measures to address the risk in a timely manner. This is consistently one of the most heavily tested controls during certification audits.

Zecurit Endpoint Manager

Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence. Vulnerability Management maps installed software against known CVEs, giving ISMS owners the timely, evidence-backed vulnerability data A.8.8 requires, and Patch Compliance Reports document that remediation actually happened.

Patch ManagementVulnerability ManagementCVSS Prioritisation
Control 05

Configuration Management

Annex A 8.9

Configurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. Configuration drift is one of the most common ways an otherwise compliant environment quietly falls out of conformance between audits.

Zecurit Endpoint Manager

Configuration Management lets IT teams define named profiles bundling firewall rules, Windows Update policy, and security hardening settings, then deploy and enforce them consistently across device groups. Hardware and software change alerts detect the moment an endpoint drifts from its approved baseline, giving A.8.9's monitoring and review requirement a continuous, automated implementation.

Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts
Control 06

Information Deletion and Data Leakage Prevention

Annex A 8.10, 8.12

Information stored on systems or devices must be deleted when no longer required, and measures must be applied to prevent unauthorised disclosure or extraction of sensitive information. Data Leakage Prevention was added as a named control in the 2022 revision specifically to address removable storage and uncontrolled data movement.

Zecurit Endpoint Manager

Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, and wireless adapters, with BadUSB keystroke injection prevention and policy enforcement that holds even when endpoints are offline. Remote Script Execution can automate scheduled data cleanup across the fleet, supporting both controls from a single platform.

Device ControlUSB/Removable Storage PoliciesRemote Script Execution
Control 07

Use of Cryptography

Annex A 8.24

Rules for the effective use of cryptography, including cryptographic key management, must be defined and implemented to protect the confidentiality, authenticity, and integrity of information, in proportion to the risk identified.

Zecurit Endpoint Manager

BitLocker Management enforces drive encryption across every managed Windows endpoint from a central console, with TPM-only, TPM+PIN, and passphrase authentication modes. Recovery keys are backed up automatically, and BitLocker Compliance Reports identify any unprotected device, giving auditors clear, fleet-wide evidence that the cryptographic controls in your SoA are actually in force.

BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Control 08

Logging and Monitoring Activities

Annex A 8.15, 8.16

Logs recording activities, exceptions, faults, and other relevant events must be produced, stored, protected, and analysed. Networks, systems, and applications must be monitored for anomalous behaviour, with appropriate action taken to evaluate potential incidents.

Zecurit Endpoint Manager

The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns by account, and Device Control logs every connection attempt with a timestamp, building the activity record A.8.15 and A.8.16 expect to see during a surveillance or recertification audit.

Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Control 09

Audit-Ready Evidence for the Statement of Applicability

Supports Clause 9 (Performance Evaluation) and the SoA

Certification and surveillance audits ultimately test whether the controls listed in your Statement of Applicability are operating as described, not just documented. Auditors expect to see evidence, not assertions, and producing that evidence under time pressure is where many otherwise well-run ISMS programmes lose points.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for ISO 27001, PCI-DSS, HIPAA, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery automates this evidence on a recurring basis, ready well ahead of your next surveillance audit.

100+ Compliance ReportsISO 27001 Report TemplatesScheduled Report Delivery

ISO 27001 Annex A Controls and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each endpoint-relevant Annex A control to the relevant Zecurit features, useful for Statement of Applicability documentation and certification audits.

Annex A ControlZecurit Endpoint Manager Capability
User Endpoint Devices (A.8.1)Hardware InventoryAsset DiscoveryConfiguration Management
Privileged Access / Authentication (A.8.2, 8.5)User and Group ManagementRole-Based AccessSession Confirmation and Audit
Protection Against Malware (A.8.7)Security AlertsReal-Time Monitoring and Alerts
Management of Technical Vulnerabilities (A.8.8)Patch ManagementVulnerability ManagementCVSS Prioritisation
Configuration Management (A.8.9)Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts
Information Deletion / DLP (A.8.10, 8.12)Device ControlUSB/Removable Storage PoliciesRemote Script Execution
Use of Cryptography (A.8.24)BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Logging and Monitoring (A.8.15, 8.16)Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Audit-Ready Evidence (SoA Support)100+ Compliance ReportsISO 27001 Report TemplatesScheduled Report Delivery

Certification Is Earned on the Endpoint, Then Proven in the Audit Room

ISO 27001 deliberately avoids prescribing specific tools, asking organisations instead to justify their control choices through risk assessment. But across thousands of certification audits, the same pattern holds: weak endpoint visibility, missing patches, unencrypted drives, and unmonitored removable media are consistently where well-intentioned ISMS programmes lose points.

With user endpoint devices now named explicitly under Annex A 8.1, and the rise of remote and hybrid work expanding the device population auditors will examine, building strong endpoint discipline is no longer a nice-to-have alongside certification. It is the evidence base certification rests on.

Zecurit Endpoint Manager addresses the Annex A technological controls that matter most at the device level, from a single lightweight agent and unified console, giving ISMS managers and IT teams the patch management, encryption, device control, and audit-ready reporting your certification body expects to see, without assembling evidence from a dozen disconnected tools before the auditor arrives.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your ISO 27001 certification programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit