# ISO 27001:2022

## Endpoint Central helps comply with ISO 27001:2022

**Clause 6.1.3** of ISO 27001:2022 requires organizations to implement a process for information security risk treatment. This involves selecting suitable treatment options based on risk assessments and identifying the necessary controls to support those options. Controls can either be designed by the organization or sourced externally. These controls **must be compared with those listed in Annex A (Table A.1)** to ensure nothing important is missed, *while noting that Annex A is not exhaustive, and additional controls can be included if required.* Lastly, a Statement of Applicability should be prepared, listing all the necessary controls identified during the process.

| Control | Control definition/ requirements | How Endpoint Central helps |
|---|---|---|
| **5. Organizational controls** |  |  |
| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | Endpoint Central provides comprehensive [vulnerability management](https://www.manageengine.com/vulnerability-management/features.html) with constant assessment and visibility of threats from a single console. It includes built-in remediation for detected vulnerabilities.<br><br>Supports patching for Windows, Mac, Linux, and over 850 third-party applications. Manages updates for Windows, iOS, Android, ChromeOS, firmware, and mobile applications. |
| 5.9 Inventory of information and other associated assets | An inventory of information and other associated assets, including owners, should be developed and maintained. | Maintains an [inventory of all endpoints](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/asset_management_setup.html) including [mobile devices](https://www.manageengine.com/mobile-device-management/help/asset_management/mdm_asset_management.html) and software assets from a central console. |
| 5.11 Return of assets | Personnel should return all organizational assets upon change or termination of employment or contract. | Insightful dashboards and out-of-the-box [asset reporting](https://www.manageengine.com/products/desktop-central/help/inventory/viewing_inventory_reports.html) provide complete endpoint visibility. |
| 5.12 Classification of information | Information should be classified based on confidentiality, integrity, availability, and relevant requirements. | Enables IT admins to [discover and classify](https://www.manageengine.com/endpoint-dlp/data-classification.html) structured and unstructured data using fingerprinting, RegEx, file extension filters, and keyword search. |
| 5.13 Labeling of information | Procedures for information labeling should align with the organization’s classification scheme. | Helps find, analyze, and track sensitive personal data such as PII and ePHI across the network. |
| 5.15 Access Control | Create and implement rules to control physical and logical access. | Provides [endpoint privilege management](https://www.manageengine.com/application-control/endpoint-privilege-management.html) with least privilege and just-in-time access.<br><br>Allows admins to [allowlist](https://www.manageengine.com/application-control/application-allowlisting.html) or blocklist applications.<br><br>Includes [conditional access policies](https://www.manageengine.com/mobile-device-management/help/profile_management/mdm_conditional_access.html). |
| 5.17 Authentication information | Control allocation and management of authentication information. | Enables [passcode policies](https://www.manageengine.com/mobile-device-management/mdm-passcode-policy.html) for Android, Apple, and Windows devices with configurable failed attempts and auto-lock settings. |
| 5.18 Access rights | Manage, review, and modify access rights per policies. | Supports least privilege, just-in-time access, application allowlisting/blocklisting, and conditional access policies. |
| 5.28 Collection of evidence | Establish procedures for identification, collection, and preservation of evidence. | Provides detailed alerts including:<br><br>**Attack Details:** Detection Time, Reported Time, Attack Status, Agent Action, Attack Criticality (Low/Medium/High), Detection Source, Image Path, Process Name, SHA256, Command.<br><br>**Endpoint Details:** Endpoint Name, Domain Name, Endpoint Status, Endpoint Version, Activated Time, Last Contact Time. |
| 5.30 ICT readiness for business continuity | ICT readiness should align with business continuity objectives. | Includes [next-gen antivirus](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) with AI-assisted detection and incident forensics.<br><br>Provides [instant, non-erasable backup](https://www.manageengine.com/products/desktop-central/anti-ransomware.html) every three hours using Microsoft Volume Shadow Copy Service. |
| 5.31 Legal, statutory, regulatory and contractual requirements | Requirements should be identified and documented. | Supports compliance with GDPR, CIS Controls, NIST Cybersecurity Framework, and other mandates. |
| 5.32 Intellectual property rights | Implement procedures to protect intellectual property rights. | Helps find, analyze, and track sensitive data like patents and contracts within networks. |
| 5.33 Protection of records | Records should be protected from loss or unauthorized access. | Helps [prevent corporate data leakage](https://www.manageengine.com/endpoint-dlp/) and supports conditional access policies. |
| 5.34 Privacy and protection of PII | Identify and meet privacy and PII protection requirements. | Helps comply with GDPR, DPDPA, POPIA, CCPA, LGPD, and more. |
| 5.36 Compliance with policies, rules and standards | Regular review of information security policy compliance. | Comprehensive reporting for endpoint insights, governance, and auditing. |
| **6. People controls** |  |  |
| 6.7 Remote working | Security measures for remote work. | Uses 256-bit AES encryption during remote troubleshooting and supports [FIPS mode](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/fips-compliance.html). |
| **7. Physical controls** |  |  |
| 7.10 Storage media | Manage storage media lifecycle securely. | Enables [peripheral device management](https://www.manageengine.com/products/desktop-central/help/device-control/dc-best-practices.html) to block/restrict external devices and define trusted devices. |
| 7.14 Secure disposal or re-use of equipment | Ensure sensitive data is removed before disposal or reuse. | Supports [remote wipes](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html#wipe) and [Enterprise Factory Reset Protection](https://www.manageengine.com/mobile-device-management/help/profile_management/android/android_enterprise_factory_reset_protection.html). |
| **8. Technological controls** |  |  |
| 8.1 User end point devices | Protect information on endpoint devices. | Tracks sensitive data and supports personal/corporate data containerization. |
| 8.2 Privileged access rights | Restrict and manage privileged access rights. | Provides endpoint privilege management with least privilege and just-in-time access. |
| 8.3 Information access restriction | Restrict access per access control policies. | Supports least privilege and [conditional access policies](https://www.manageengine.com/mobile-device-management/help/profile_management/mdm_conditional_access.html). |
| 8.5 Secure authentication | Implement secure authentication technologies. | Supports [Windows Hello](https://www.manageengine.com/mobile-device-management/help/profile_management/windows/windows_hello_for_business.html), enterprise [SSO](https://www.manageengine.com/mobile-device-management/enterprise-single-sign-on-sso.html), and certificate-based authentication using [SCEP](https://www.manageengine.com/mobile-device-management/help/profile_management/ios/mdm_scep.html). |
| 8.6 Capacity management | Monitor and adjust resource usage. | Provides [software metering](https://www.manageengine.com/products/desktop-central/software-metering.html) and [license management](https://www.manageengine.com/products/desktop-central/software-license-management.html). |
| 8.7 Protection against malware | Implement malware protection. | Includes [next-gen antivirus](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) with AI-based detection and forensic analysis. |
| 8.8 Management of technical vulnerabilities | Obtain and evaluate vulnerability information. | Provides [risk-based vulnerability management](https://www.manageengine.com/vulnerability-management/risk-based-vulnerability-management.html) with built-in remediation. |
| 8.9 Configuration management | Establish and monitor secure configurations. | Allows [prohibited software management](https://www.manageengine.com/products/desktop-central/prohibited-software.html) and executable control. |
| 8.10 Information deletion | Delete information when no longer required. | Supports remote [wipes](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html#wipe). |
| 8.12 Data leakage prevention | Apply DLP measures to systems and networks. | Provides [advanced data leakage prevention](https://www.manageengine.com/endpoint-dlp/) with PII detection and BYOD data separation. |
| 8.13 Information backup | Maintain and test backups. | Offers [instant, non-erasable backup](https://www.manageengine.com/products/desktop-central/anti-ransomware.html) every three hours. |
| 8.15 Logging | Produce and analyze logs. | Provides [User Logon reports](https://www.manageengine.com/products/desktop-central/help/reports/user_logon_tracking_reports.html) and detailed audit reports. |
| 8.16 Monitoring activities | Monitor for anomalous behavior. | Built-in next-gen antivirus detects anomalous behavior using AI and deep learning. |
| 8.19 Installation of software on operational systems | Securely manage software installation. | Includes [software deployment](https://www.manageengine.com/products/desktop-central/help/software_installation/windows_software_installation.html) and allows admins to [prohibit users](https://www.manageengine.com/products/desktop-central/help/inventory/configure_prohibited_software.html) from installing unauthorized software. |
| 8.20 Networks security | Secure and manage networks and devices. | Enables Windows Firewall configuration, [threat protection configurations](https://www.manageengine.com/browser-security/help/threat-prevention-browser-configurations.html), [download restriction](https://www.manageengine.com/browser-security/download-restriction.html), and [web server hardening](https://www.manageengine.com/vulnerability-management/help/how-to-harden-and-secure-web-servers.html). |
| 8.22 Segregation of networks | Segregate groups of services and systems. | Supports logical segregation via [Custom Groups](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html). |
| 8.23 Web filtering | Manage access to external websites. | Allows admins to [block malicious websites](https://www.manageengine.com/products/desktop-central/help/browser-security/web-filter.html). |
| 8.24 Use of cryptography | Define and implement cryptography rules. | Supports Windows encryption via [BitLocker Management](https://www.manageengine.com/products/desktop-central/bitlocker-management.html) and Mac encryption via [FileVault](https://www.manageengine.com/mobile-device-management/help/profile_management/mac/mdm_filevault_encryption.html). |