Is full-disk encryption (BitLocker / FileVault) on for laptops?
Demonstrate that full-disk encryption is enabled, properly configured, and enforced on all organizational laptops, with centralized verification and recovery key escrow where applicable.
Description
What this control does
Full-disk encryption (FDE) protects data at rest on laptop devices by encrypting entire disk volumes using platform-native tools such as Microsoft BitLocker (Windows), Apple FileVault (macOS), or LUKS (Linux). When properly configured, FDE ensures that if a device is lost, stolen, or physically accessed by unauthorized parties, the data remains cryptographically inaccessible without the correct authentication credentials or recovery key. This control is critical for mobile devices that frequently leave the organization's physical perimeter and face heightened theft or loss risk.
Control objective
What auditing this proves
Demonstrate that full-disk encryption is enabled, properly configured, and enforced on all organizational laptops, with centralized verification and recovery key escrow where applicable.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive organizational data following theft or loss of an unencrypted laptop
- Exposure of personally identifiable information (PII), protected health information (PHI), or confidential business data due to physical device compromise
- Attacker extraction of credentials, cryptographic keys, or session tokens from unencrypted disk images
- Regulatory non-compliance and associated fines for failure to protect data at rest under GDPR, HIPAA, PCI DSS, or other mandates
- Insider threat exploitation where terminated or malicious employees retain physical access to devices without cryptographic barriers
- Data remnants persisting on decommissioned or resold devices when disk sanitization is incomplete and encryption was not enforced
- Offline brute-force or forensic attacks against weakly protected or unencrypted operating system partitions and swap files
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all organizational laptops including manufacturer, model, operating system, serial numbers, and assigned users from asset management or MDM systems.
- Review organizational policies and configuration standards specifying full-disk encryption requirements, approved encryption products, key strength, and recovery key management procedures.
- Query the endpoint management platform (e.g., Microsoft Intune, Jamf Pro, SCCM, CrowdStrike, Carbon Black) to extract current encryption status for all inventoried laptops.
- Select a representative sample of at least 20 laptops stratified by operating system, department, and deployment date for hands-on verification.
- Physically or remotely inspect sampled Windows devices to confirm BitLocker status via 'manage-bde -status' command or TPM configuration, and verify encryption method (XTS-AES 128 or 256).
- Physically or remotely inspect sampled macOS devices to confirm FileVault status via 'fdesetup status' command and verify institutional recovery key escrow to MDM or directory service.
- Verify that recovery keys or escrow credentials are centrally stored in a secure, access-controlled repository such as Active Directory, Azure AD, Jamf, or a privileged access management solution.
- Cross-reference encryption status reports against the asset inventory to identify any devices with encryption disabled, pending, or in an error state, and review remediation evidence for exceptions.