Mobile compliance that stands up to the auditor.
NIS-2 and ISO 27001 require mobile endpoints to be included in information security management. Vyrex Mobile helps you demonstrate these requirements in a structured way — with automatic documentation, audit-ready reports and clearly defined policies.
NIS-2 and mobile endpoints
- Article 21(2)(h) NIS-2 requires supply chain security — mobile access points are part of that.
- Vyrex Mobile documents all known mobile devices, their security status and policy deviations.
- Compliance reports include a NIS-2 chapter mapping mobile controls to policy requirements.
- Incidents with a mobile element are recorded in the audit log and can be used for reporting obligations.
- Policies (minimum OS, screen lock, mandatory enrollment) are configurable and versioned in the portal.
ISO 27001 — Mobile Controls
- A.6.2.1 Mobile Device Policy: Vyrex Mobile provides the technical foundation and documentation for an evidenced mobile device policy.
- A.6.2.2 Teleworking: Secure remote access via enrolled devices is factored into the risk score.
- A.8.1 Asset Management: All enrolled devices are captured as assets in the portal, with owner, score and status.
- A.12.6 Technical Vulnerability Management: OS versions are checked against known CVEs and reported.
GDPR and data minimisation
- Vyrex Mobile collects only security signals necessary for the business purpose (Art. 5(1)(c) GDPR).
- The consent at enrollment is informed, voluntary and revocable at any time (Art. 7 GDPR).
- All data is stored and processed exclusively on German servers.
- Device owners receive full data subject access information on request (Art. 15 GDPR).
Policies in the Vyrex portal
Minimum OS version
Define which OS version is the minimum. Devices below that threshold automatically receive a finding entry.
Mandatory screen lock
Devices without an active screen lock are marked as non-compliant and the device owner receives a push alert.
Mandatory enrollment
Define which user groups must enroll. Unenrolled devices with network access are detected via Edge.
Check-in frequency
How often must a device deliver a signal check-in? Devices that exceed the deadline are marked as inactive.
Network whitelist
Define known safe networks. Connections to unlisted public Wi-Fi networks generate warnings.
Incident consent policy
Governs which location data and actions may be voluntarily released in incident mode — documented and revision-proof.
Compliance reports for audits
All four mobile report types are exportable as PDF and include timestamps, versioning notes and auditor mapping. They are designed so that an external auditor without prior knowledge can follow the documentation.
Häufige Fragen
Is Vyrex Mobile sufficient on its own for NIS-2 compliance on mobile devices?+
Vyrex Mobile covers the technical documentation and monitoring of mobile endpoints. NIS-2 compliance additionally requires organisational measures and a complete ISMS — covered by the Vyrex Compliance package.
Can I define my own policies or only use Vyrex defaults?+
All policy parameters are configurable in the Vyrex portal. Thresholds for OS versions, check-in frequency and network rules can be set by you.
Are reports GDPR-compliant if device names are personal data?+
Device names can be pseudonymised in reports. This option is available in the report module settings.
How long is compliance data retained?+
12 months with a rolling history by default. An extension to 36 months is bookable for Compliance package customers.