Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
Explanation
Full disk encryption protects all data stored on endpoint devices in case of loss or theft by making the data unreadable without proper authentication. This includes operating system files, temporary files, and user data that might contain sensitive information. Without encryption, lost or stolen devices can lead to data breaches even if the device is password protected.
Evidence of implementation could include: screenshots of encryption status from device management software (like BitLocker status reports, FileVault status, or MDM console reports), a documented encryption policy specifying required encryption standards, and implementation logs showing encryption deployment across the organization's device fleet.
Implementation Example
Use full disk encryption to protect data stored on user endpoints
ID: PR.DS-01.224
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-at-rest are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?
- Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

