ISO 27001:2022 Annex A Control 7.9

Abstract of Annex A Control 7.9: Security of assets off-premises

ISO 27001 Control 7.9 addresses the importance of protecting organizational assets when they are used or stored outside the organization's physical premises. These assets, which include mobile devices, laptops, tablets, and permanent installations such as antennas or ATMs, are exposed to unique risks in off-premises environments. The control affirms measures to prevent loss, damage, theft, unauthorized access, and operational interruptions,

Iso 27001 Annex A Control 7.9 Security Of Assets Off-Premises

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Physical Security
  • Asset Management

Security Domains

  • Protection

Objective of Control 7.9

The objective of Control 7.9 is to protect assets off-premises by applying security measures that maintain the confidentiality, integrity, and availability of information processed or stored on these devices. Your organization must ensure that assets used outside its premises are protected from physical, environmental, and cybersecurity threats.

Purpose of Control 7.9

The purpose of ISO 27001 Control 7.9 is to:

  1. Prevent the loss or theft of devices and equipment used off-premises.
  2. Minimize the risk of sensitive information being compromised through physical or logical breaches.
  3. Ensure business continuity by avoiding operational disruptions caused by the compromise or loss of critical off-premises assets.
  4. Strengthen overall organizational security posture in environments that are less secure or controlled compared to the organization’s premises.

Scope of Control 7.9

Control 7.9 applies to all organizational assets that are used, stored, or permanently installed outside your organization’s controlled environments. These include:

  • Portable Devices: Laptops, tablets, smartphones, and USB drives owned by the organization or authorized for business use under BYOD policies.
  • Permanently Installed Equipment: Remote installations such as antennas, kiosks, ATMs, and other assets situated in public or semi-public spaces.
  • Storage Media: Hard drives, backup tapes, or other removable media containing sensitive organizational information.

Key Guidelines for Protecting Off-Premises Assets

1. Authorization and Asset Management

  • Authorization Process: Ensure that all off-premises use of organizational assets is authorized by management. This includes BYOD devices, which should meet predefined security standards before approval.
  • Asset Inventory: Maintain an up-to-date inventory of all assets authorized for off-premises use. Each asset should be logged with details such as the assigned user, purpose, and current location.
  • Access Restriction: Clearly define who can use and access organizational assets off-premises. Limit access to essential personnel only.

2. Physical Security

  • Unattended Devices: Prohibit leaving equipment or storage media unattended in public or unsecured locations. For instance, employees should never leave laptops on a café table or USB drives in shared workspaces.
  • Environmental Protection: Follow manufacturers’ instructions to protect devices against exposure to environmental risks such as heat, water, dust, or electromagnetic interference.
  • Anti-Tamper Measures: Implement tamper-proof mechanisms for permanently installed equipment, such as ATMs or remote sensors.

3. Data Protection

  • Secure Data Deletion: Before transferring equipment between individuals or departments, ensure all sensitive information that is no longer needed is securely deleted.
  • Screen Privacy: Equip devices with privacy screens to prevent unauthorized viewing of sensitive data in public spaces, such as on public transport or in airports.
  • Encryption: All data on portable devices should be encrypted using robust algorithms to prevent unauthorized access in case of theft or loss.

4. Technical Security Controls

  • Remote Management: Enable remote wiping and location tracking for mobile devices to secure data if the device is lost or stolen.
  • Logical Access Controls: Use multi-factor authentication, strong passwords, and biometric systems to prevent unauthorized access to devices and data.
  • Secure Backup Systems: Ensure that backups of off-premises devices are stored securely and can be restored in case of data loss.

5. Procedures for Asset Transfer

  • Chain of Custody: Maintain a detailed log for every asset transferred between users or departments, recording who is responsible for the asset at each stage.
  • Removal Records: Require authorization for the removal of devices or media from organizational premises and maintain records to support audit trails.

6. Protection of Permanently Installed Equipment

  • Physical Security Monitoring: Monitor equipment in remote locations using surveillance systems or periodic physical inspections.
  • Location-Specific Risks: Assess the risks associated with each location and implement measures such as anti-vandalism enclosures, alarms, or reinforced structures as needed.

Risk Assessment and Mitigation

Conduct regular risk assessments for off-premises assets to identify vulnerabilities and threats. Key steps include:

  1. Threat Identification: Identify potential risks such as theft, physical damage, or unauthorized access.
  2. Impact Analysis: Evaluate the potential impact of asset compromise on organizational operations.
  3. Mitigation Strategies: Implement proportionate controls based on the identified risks. For example, high-risk areas may require enhanced physical security and monitoring.

Training and Awareness

Employee Training: Provide regular training sessions to educate employees about best practices for securing assets outside the office. Topics should include handling sensitive information in public, avoiding shoulder surfing, and protecting devices from environmental threats.

Awareness Campaigns: Use internal communications to remind employees of the importance of securing off-premises assets. For instance, periodic newsletters or posters can highlight real-world examples of security incidents and lessons learned.

Related Controls

Control 7.9 works in conjunction with several other ISO 27001 controls to provide comprehensive security for off-premises assets:

  • Control 6.7 Remote Working: Ensures the security of remote work environments.
  • Control 7.4 Physical Security Monitoring: Provides monitoring mechanisms for physical assets.
  • Control 7.5 Protecting Against Physical and Environmental Threats: Addresses safeguards for environmental hazards.
  • Control 8.1 User Endpoint Devices: Focuses on the security of devices accessing organizational systems.

Supporting Templates for Control 7.9

Your organization can use the following templates to simplify the implementation of Control 7.9:

  1. Asset Management Policy Template: Ensures all organizational assets are inventoried, tracked, and protected.
  2. Physical Security Policy Template: Provides guidelines for securing physical and environmental aspects of organizational assets.
  3. Chain of Custody Log Template: Helps maintain detailed records of asset transfers for accountability and auditing purposes.
  4. BYOD Policy Template: Outlines security requirements for employee-owned devices used for business purposes.
Control 7.8
ISO 27001 overview
Control 7.10