Free Resource

BYOD Security Policy Checklist

InfiniTech IT Ltd  ·  Updated June 2025  ·  Estimated read: 8 minutes

Bring Your Own Device (BYOD) policies increase flexibility and reduce hardware costs — but without the right controls, personal devices become the easiest entry point for attackers. This checklist covers everything a Cornwall business needs to protect its network, data, and reputation when employees use personal devices for work.

0 of 45 items completed

1. Device Enrolment & Registration

Every personal device accessing business systems must be formally registered. This creates an audit trail and ensures you can remotely wipe a device if it's lost or compromised.

  • CriticalMaintain a register of all personal devices approved to access business systems
  • CriticalRequire formal written BYOD agreement signed by each employee before access is granted
  • HighDefine which device types and operating systems are approved (iOS, Android, Windows, macOS)
  • HighSet minimum OS version requirements and enforce automatic updates
  • MediumEnrol devices in a Mobile Device Management (MDM) solution for centralised policy enforcement
  • MediumDocument the device make, model, IMEI/serial number, and assigned employee for each enrolled device

2. Authentication & Access Control

Weak authentication is the leading cause of data breaches involving personal devices. Enforce these controls as a minimum.

  • CriticalEnforce multi-factor authentication (MFA) on all business accounts accessed from personal devices
  • CriticalRequire a minimum 6-digit PIN or biometric lock on all enrolled devices
  • CriticalSet automatic screen lock to activate after 2 minutes of inactivity
  • HighUse role-based access control — employees only access data relevant to their role
  • HighImplement single sign-on (SSO) for business applications where possible
  • MediumDisable access for leavers within 24 hours of their departure
  • MediumReview and audit active device access permissions quarterly

3. Data Protection & Storage

Personal devices must not become unintended repositories for sensitive business data. Separation of business and personal data is critical.

  • CriticalRequire full-device encryption on all enrolled devices (FileVault, BitLocker, iOS/Android native encryption)
  • CriticalProhibit the local storage of sensitive business data on personal devices where possible
  • HighUse containerisation (e.g. Microsoft Intune MAM) to separate work and personal data
  • HighEnsure business data syncs to approved cloud storage (e.g. Microsoft 365, SharePoint) — not personal accounts
  • HighEnable remote wipe capability for lost or stolen devices
  • MediumRestrict the ability to copy/paste business data into personal apps or email accounts
  • MediumRetain business data for the minimum period required by law and your data retention policy

4. Network Security

Personal devices frequently connect to untrusted networks — coffee shops, hotels, home broadband — before accessing business systems. These controls limit the risk.

  • CriticalRequire VPN use whenever accessing business systems from outside the office network
  • CriticalProhibit connection to public Wi-Fi without an active VPN
  • HighSegment the guest/BYOD Wi-Fi network from the main business network
  • HighEnable DNS filtering to block access to known malicious domains from enrolled devices
  • MediumDisable automatic connection to open/untrusted Wi-Fi networks on enrolled devices
  • MediumMonitor network access logs for anomalous device behaviour

5. App Management & Software

  • CriticalMaintain an approved app list for business use — prohibit side-loading of unapproved apps
  • HighRequire antivirus/endpoint protection on all Windows and Android devices
  • HighEnforce automatic OS and app security updates within 48 hours of release
  • HighBlock access to business systems from devices that have been jailbroken or rooted
  • MediumDeploy business apps via a managed distribution channel (e.g. Apple Business Manager, Google Workspace)
  • MediumAudit installed apps on enrolled devices for known vulnerabilities quarterly

6. Incident Response & Lost Devices

  • CriticalDefine and publish a clear procedure for reporting lost or stolen devices (with a 2-hour reporting window)
  • CriticalTest remote wipe capability at least annually
  • HighLog all remote wipe events and document what data was at risk
  • HighReport device loss to the ICO where personal data may have been compromised (within 72 hours under UK GDPR)
  • MediumMaintain cyber insurance that covers BYOD-related incidents

7. Staff Training & Awareness

  • CriticalBrief all BYOD users on the policy before granting access — obtain signed acknowledgement
  • HighConduct annual BYOD and cybersecurity awareness training
  • HighRun simulated phishing tests targeting personal device users at least twice per year
  • MediumProvide guidance on identifying suspicious apps, public Wi-Fi risks, and social engineering

8. Policy & Governance

  • CriticalPublish a written BYOD policy and make it accessible to all employees
  • HighReview and update the BYOD policy at least annually or after any significant incident
  • HighAlign the BYOD policy with your broader information security and data protection policies
  • MediumAssign a named person responsible for BYOD policy ownership and compliance
  • MediumConsider Cyber Essentials or ISO 27001 certification to formalise your security posture

Not sure where to start?

Our team can audit your current device security posture, implement an MDM solution, and draft a BYOD policy tailored to your business — from a half-day engagement upwards.

Talk to an Expert

Need immediate IT support?

If you need remote assistance right now, our engineers can connect to your device securely using Splashtop — no waiting, no call queues.

Call us on 01726 76999 or visit our contact page.