How to Manage Bring Your Own Devices (BYOD) During an Audit

In this article we'll walk you through some best practices to handle a BYOD program during your audits for SOC 2, PCI, ISO 27001, and more.
Richard Stevenson

by Richard Stevenson

October 25, 2022
BYOD-and-audits

What do I do when all our employees bring their own devices? 

We get asked this question quite often and it’s a tough situation from a compliance standpoint. Since you don’t own the device, you can’t enforce configurations like hard drive encryption, screensaver lock, and other workstation controls. And even when these settings are enabled on those devices, getting evidence from them can be difficult. 

Additionally, users may not want to enroll in mobile device management (MDM) software or provide a screenshot from their personal device. So how do you handle these situations when you’re going for your audit? We’ll walk you through this, below. 

Establish a BYOD Program

The very first step should be to formally authorize your employees to use BYOD workstations or devices. This is done by explaining within a policy that your organization is authorizing employees/contractors to use their own devices. 

Some organizations create an entirely separate BYOD policy, which is fine. However, most organizations add these details to an existing policy such as the acceptable use, asset management, or information security policy. 

Any of those three policies would work for this, it’s really up to you and where you think it fits best. 

Updating an Existing Policy

If you opt to add these statements to an existing policy, it could say something like:

[Company Name] has authorized employees and contractors to use a Bring Your Own Device (BYOD) machine of their choosing as a workstation. [Company Name] does not own these devices, but encourages employees/contractors to enable the following settings on their devices:

  • Hard drive encryption

  • Anti-virus/anti-malware

  • [Additional Controls/Requirements]

The above settings are only required for workstations such as laptops and desktops. For mobile devices such as smartphones and tablets, [Company Name] encourages setting a screen timeout of one minute or less and enabling a password, PIN, or biometrics to be entered before the device will be unlocked. [Company Name] also discourages the use of “jailbroken” or “rooted” devices.

Additionally, employees/contractors are required to support [Company Name]’s efforts to demonstrate compliance with select security controls. This will entail enrolling in [Company Name]’s MDM solution or provide screenshots showing that these settings have been enabled.”

Restrictions

You should also consider listing any restrictions on the types of devices that employees can use. For example, if due to the nature of your business, all BYOD devices have to be a Windows machine, you should list those types of items here as well.

Reservation of Rights Clause

Finally, we recommend adding a statement to employee and contractor agreements which states something like: 

“[Company Name] reserves the right to request and verify deletion of any company data downloaded to personal devices upon termination of employment at [Company Name].”

We recommend that you require this where possible. However, depending on the locality of the employee/contractor, this may not always be possible due to legal and privacy laws and regulations in specific jurisdictions. 

So before you require the above, you should speak with your HR team and legal counsel to make sure that you are legally allowed to do so.

How BYOD Devices Affect an Audit

Regardless of who owns the device—the company or an individual employee/contractor—compliance frameworks like SOC 2 and ISO 27001 do contain controls around securing workstations, and BYOD does not remove these requirements in all cases. 

The majority of companies are still required to prove that the devices being used to conduct business are configured securely. This will require you to collect evidence demonstrating this, such as enrolling those devices in an MDM or submitting screenshots from their workstations. However, if this isn’t possible, alternative controls can be implemented. Whether these controls are accepted or not is up to your auditor. 

For instance, if you can’t show that workstation hard drives are encrypted, you may have to implement a control such as more stringent data loss protection (DLP) controls to show that data cannot be exported from systems like Google Drive, your cloud environment, etc. 

If data cannot be saved locally on workstations due to DLP controls on these systems, hard drive encryption is less important.

Smartphones and Tablets

There is a second class of BYOD devices that come up are smartphones and tablets. How you handle these devices mostly depends on what the devices are being used for and what framework you are working towards. 

One option is to establish a policy or technical control that prevents accessing customer data or regulated data, like protected health information (PHI) or cardholder data (CHD), from BYOD smartphones and tablets.

If these devices do store or access sensitive data, then these devices will likely be in-scope for the audit, but which controls need to be implemented will depend on the auditor. In this case, we suggest using a containerized MDM solution and having your employees/contractors load this solution on their device so you can demonstrate that the data is being protected.

To automate evidence collection to prove that your BYOD program is in compliance with SOC 2, HIPAA, and ISO 27001 be sure to book a demo with our team today. 

Trusted Newsletter
Resources for you
PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

G2 Fall Reports Thumb

Drata Shines in G2 Fall Reports

Cyberattacks on Local Govs Hero

Cyberattacks on Local Governments on the Rise, Highlighting a Need for Enhanced Security

Richard Stevenson
Richard Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.
Related Resources
CE Checklist Thumb

Cyber Essentials Checklist

Cyber Essentials Thumb

Cyber Essentials Now Available in Drata

Healthcare Breach States - Thumnbnail

States Most Impacted by Healthcare Data Breaches in 2022

User access review hero image

How to Perform User Access Reviews