Mobile Device and BYOD Policy - SME

The Mobile Device and BYOD Policy (P34S) is crafted specifically for SMEs, ensuring that organizations without dedicated IT or security staff can still implement robust, certifiable controls for mobile endpoints. Its clear structure assigns accountability to the General Manager (GM), replacing traditional IT or CISO roles with practical, accessible oversight suited to the SME context. The policy’s primary aim is to create enforceable protections wherever company or customer data is accessed, processed, or stored, irrespective of whether devices are company issued or personally owned. It sets baseline technical and procedural safeguards, such as requiring device encryption, screen locks, and antivirus, while maintaining user-friendly policies suitable for non-expert staff. Scope is comprehensive, applying to all staff and service providers who use mobile devices (including smartphones, tablets, or laptops) for business purposes, regardless of location or device ownership. Strict governance requirements mandate that all BYOD devices must be registered, approved, and have security apps, with registered device records and user agreements underpinning accountability. Privacy is carefully protected: the company manages only business data on personal devices and honors user boundaries, aligning with legal requirements such as GDPR. The policy enforces a broad array of controls: Company and personal devices must have up-to-date security software, strong authentication, encryption, and must not leverage unauthorized cloud services for company data. BYOD users are required to sign agreements and install security apps or MDM tools as needed. The GM (or designated staff) is responsible for approving devices, maintaining inventory, conducting incident reviews, and ensuring policy enforcement, even for third-party IT providers. Incident management is pragmatic and rapid, requiring lost or compromised devices to be reported within one hour, triggering prompt evaluation of remote wipe and credential resets. A clear process is outlined both for handling exceptions, via a BYOD Exception Log and GM approval, and for enforcing compliance: periodic reviews, audits, and consequences for violations including access revocation, formal warnings, and, if necessary, contractual or legal remedies. As a policy explicitly referencing Clause 5.1 (Leadership & Commitment) and Clause 8.1 (Operational Planning & Control) of ISO/IEC 27001:2022, together with NIST, GDPR, NIS2, and DORA, this document ensures that SMEs meet essential certification requirements even in remote and hybrid work scenarios. The General Manager is tasked with annual reviews, updates after incidents or regulatory changes, and ensuring all users are notified and trained. In sum, the policy is tightly integrated with related SME policy documents, creating a complete framework for managing device risks and ensuring auditable, legal, and customer-trustworthy mobile security for smaller organizations.