A.8.1 / A.8.7 — Are user endpoints protected with EDR/anti-malware, encryption and configuration management?
Demonstrate that all user endpoints are protected with functioning EDR/anti-malware, encryption, and configuration management controls that are actively monitored and enforced.
Description
What this control does
This control ensures that all user endpoints (laptops, desktops, mobile devices) are protected through three critical layers: endpoint detection and response (EDR) or anti-malware software to prevent and detect malicious code execution; full-disk or file-level encryption to protect data at rest from physical theft or unauthorized access; and centralized configuration management to enforce security baselines, patch levels, and compliance settings. These protections work in concert to reduce the attack surface of devices that access organizational systems and data, particularly those used outside controlled network perimeters. Effective implementation requires automated deployment, continuous monitoring, and enforcement mechanisms to prevent endpoints from accessing resources when non-compliant.
Control objective
What auditing this proves
Demonstrate that all user endpoints are protected with functioning EDR/anti-malware, encryption, and configuration management controls that are actively monitored and enforced.
Associated risks
Risks this control addresses
- Malware infection through phishing, drive-by downloads, or removable media leading to data exfiltration or ransomware deployment
- Data breach from lost or stolen unencrypted devices exposing sensitive organizational or customer information
- Lateral movement by attackers exploiting unpatched vulnerabilities on endpoints lacking configuration management
- Shadow IT proliferation through unmanaged devices accessing corporate resources without security controls
- Privilege escalation attacks exploiting misconfigured endpoint security settings or disabled protective features
- Compliance violations due to inability to demonstrate protective controls on devices processing regulated data
- Advanced persistent threats (APTs) establishing persistence on endpoints without behavioral detection capabilities
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all user endpoints (laptops, desktops, mobile devices) from asset management systems or endpoint management consoles.
- Select a representative sample of endpoints across device types, operating systems, user roles, and locations (minimum 15-20 devices or 10% of population, whichever is greater).
- Review EDR/anti-malware console to verify each sampled endpoint has an active agent with current definitions, last check-in time within policy threshold, and real-time protection enabled.
- Examine encryption management console or execute local verification commands on sampled endpoints to confirm full-disk encryption is active, key escrow is configured, and pre-boot authentication is enforced where applicable.
- Review configuration management platform (MDM, GPO, SCCM, Intune) to verify security baselines are defined, applied to sampled endpoints, and include critical settings such as firewall status, password policies, and update schedules.
- Analyze endpoint compliance reports to identify any devices flagged as non-compliant, review remediation workflows, and verify enforcement actions (quarantine, access restriction) are triggered automatically.
- Request and review security event logs from EDR platform showing detection events, threat responses, and quarantine actions over the past 90 days for sampled endpoints.
- Validate policy documentation defining encryption standards, acceptable EDR platforms, configuration baselines, exception processes, and assignment of endpoint security responsibilities.