GP9 - Use of Personal Devices (BYOD)

Updated by Admin on 3rd January 2026

Purpose

The purpose of this section is to define the requirements and controls for the use of personally owned devices (Bring Your Own Device – BYOD) to access, process, store, or transmit organizational information, ensuring the confidentiality, integrity, and availability of information in compliance with ISO/IEC 27001.

Scope

This section applies to all employees, contractors, consultants, and third parties who use personal devices to access organizational systems, applications, networks, or data.


Personal devices include but are not limited to:

  • Smartphones
  • Laptops
  • Tablets
  • Personal computers

Policy Statement

Apptimus permits the use of personal devices for business purposes only when such use complies with this Acceptable Use Policy and all related information security policies. BYOD usage is a privilege and may be restricted or revoked at any time if non-compliance or security risk is identified.

Acceptable Use Requirements

Users of personal devices shall:

  • Use BYOD strictly for approved business purposes
  • Access only authorized systems and information
  • Ensure devices are not shared with unauthorized persons
  • Immediately report any suspected security incident related to BYOD usage

Security Controls for BYOD

All personal devices used for organizational access must comply with the following minimum security controls:


5.1 Device Protection

  • Devices must be protected with a strong password, PIN, or biometric authentication
  • Automatic screen lock must be enabled
  • Operating systems and applications must be kept up to date


5.2 Data Protection

  • Organizational data must not be stored locally unless explicitly approved
  • Encryption must be enabled where supported
  • Copying, forwarding, or backing up organizational data to personal cloud services is prohibited unless authorized


5.3 Malware Protection

  • Devices must not be jailbroken, rooted, or otherwise compromised
  • Installation of unauthorized or malicious software is prohibited

Access Control

  • Access to organizational systems via BYOD shall follow the principle of least privilege
  • Multi-factor authentication (MFA) shall be used where implemented
  • Access rights may be restricted based on device compliance status

Monitoring and Privacy

  • The organization may monitor access logs and security events related to BYOD usage for security purposes
  • The organization does not access personal content; however, business-related activities conducted on personal devices may be logged
  • Users consent to such monitoring by using personal devices for business purposes

Lost, Stolen, or Compromised Devices

Users must immediately report lost, stolen, or compromised devices to IT/ISMS/HR.


The organization reserves the right to:

  • Disable access to organizational systems
  • Perform remote wipe of organizational data where technically feasible

Compliance and Enforcement

Failure to comply with this policy may result in:

  • Suspension or revocation of BYOD access
  • Disciplinary action in accordance with organizational policies
  • Legal action where applicable

Roles and Responsibilities

  • Users: Comply with this policy and protect organizational information
  • Management: Ensure awareness and enforcement
  • IT / ISMS Team: Implement technical controls and monitor compliance

Policy Review

This section shall be reviewed periodically or upon significant changes to technology, risk, or business requirements.