ISO 27001:2022 Annex A Control 5.11 (A.5.11)

Explaining Control 5.11 (A.5.11) Return of assets

Return of Assets (ISO 27001 Control A.5.11) is designed to safeguard your organization’s resources when individuals transition out of their roles or contractual agreements. This control ensures that all assets—physical or digital—are returned promptly and securely to protect the confidentiality, integrity, and availability of your information. By following clear procedures and guidelines, your organization can maintain a robust cybersecurity posture and reduce the risk of unauthorized access or data leakage.

Iso 27001 Control 5.11 (A.5.11)

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Asset Management

Security Domains

  • Protection

Objective of Control 5.11

The main objective of ISO 27001 Control 5.11 is to confirm that every asset allocated to personnel, contractors, and other third parties is retrieved when employment or contractual terms change or conclude. This step is crucial for maintaining control over your organization’s data and minimizing the risk of exposing sensitive information. Proper return-of-assets procedures also help align your organization with ISO 27001 requirements and broader cybersecurity best practices.

Purpose of Control 5.11

The purpose of Return of Assets is to protect your organization’s data and physical property from unauthorized use and to prevent accidental or intentional breaches after an individual is no longer associated with your organization. By adhering to a structured return process, you help:

  • Ensure that confidential information is retained in-house.
  • Revoke access rights and credentials in a timely manner.
  • Prevent unauthorized copying or transfer of intellectual property.
  • Comply with internal policies and external regulations.
  • Preserve operational continuity by documenting and transferring essential knowledge.

Considerations and Requirements

Formalized Return Process

It is important to create a clear, documented process covering every step of the return of assets. A formalized procedure helps your organization track the items issued to each individual and ensures they are all retrieved or disposed of correctly.

  • Documentation: Maintain a detailed record of allocated hardware, software licenses, and other items.
  • Ownership Verification: Assign an individual or department (often HR or IT) to manage and verify the return of assets.

Physical and Digital Assets

Assets include a wide range of items, and your organization should outline separate handling procedures for each category:

  • Physical Assets: Laptops, tablets, USB drives, smartphones, authentication tokens, keycards, and other devices.
  • Digital Assets: Software licenses, online accounts, and stored data.

Handling Privately Owned Devices

In some cases, personnel use their own equipment to perform organizational tasks. Your return-of-assets process should specify secure transfer or deletion of organizational data stored on personal devices:

  • Data Transfer: Move important information to secure organizational servers or cloud storage.
  • Data Deletion: Remove any remaining organizational data from personal devices while confirming its complete erasure.

Protecting Intellectual Property

During the notice period or after departure, your organization should restrict the copying, sharing, or retention of data that could compromise your operations or intellectual property.

  • Access Restriction: Update permissions or revoke access to systems, applications, and networks.
  • Monitoring: Track user activities in critical systems to deter unauthorized data extraction.

Knowledge Transfer

When personnel or contractors leave, they may possess valuable knowledge related to ongoing projects or operational processes. Your organization should ensure that this knowledge is documented and handed over before the individual’s exit.

Implementation Guidelines

Maintain an Asset Inventory

Maintain a comprehensive, up-to-date asset inventory that includes every physical and digital item issued to personnel. An accurate inventory helps you quickly identify which items need to be retrieved or deactivated when a person leaves.

  • Continuous Updating: Keep the inventory current as devices are issued, repaired, replaced, or upgraded.
  • Asset Tracking System: Use software or a spreadsheet to log device serial numbers, license keys, and assignment dates.

Define Roles and Responsibilities

Clearly outline which team or department is in charge of each part of the return process:

  • HR or Administration: Notify IT, security, and other relevant teams when a departure or contract change is scheduled.
  • IT or Security: Oversee the technical aspects of retrieving devices and revoking access rights.

Use Standardized Checklists

A standardized checklist helps ensure consistency and completeness. These checklists typically include:

  • Physical Hardware: Computers, mobile devices, smartcards, external storage.
  • Authentication Credentials: Passwords, digital certificates, cryptographic keys.
  • Intellectual Property: Work documents, databases, design files, scripts.

Secure Data Removal or Transfer

Once physical devices have been retrieved or personal devices identified:

  • Data Extraction: Copy essential files or email archives to your organization’s servers.
  • Data Deletion: Confirm that all organizational data is removed from any personal device.
  • Confirmation Logs: Maintain records showing that data has been successfully transferred or deleted.

Access Revocation

Access to systems and networks should be revoked promptly:

  • Disable or Remove Accounts: This includes email, VPN, cloud services, and internal applications.
  • Recover Credentials: Collect physical tokens, keycards, badges, and smartcards.

Monitoring and Compliance

Periodic Auditing

Regular audits can help verify that your return-of-assets procedure works effectively. These audits should check:

  • Asset Inventories: Confirm that device lists match returned hardware.
  • Revoked Accounts: Confirm that no active accounts remain for individuals who have left.
  • Compliance Records: Ensure that all steps in the return process are logged.

Record Retention

Document the entire return-of-assets process for future reference and compliance needs. Records should include:

  • Dates and Times: Track when each asset was returned or deactivated.
  • Responsible Parties: Note who completed each step in the process.
  • Discrepancies: Document any missing items and steps taken to resolve them.

Related ISO 27001 Controls

  • Control 5.18 – Access Rights Management
    Access Rights Management complements the return-of-assets process by defining how and when user access to information systems is granted or revoked.
  • Control 7.14 – Secure Disposal or Reuse of Equipment
    Secure Disposal or Reuse of Equipment aligns with Return of Assets by focusing on safe destruction or sanitization of devices that once held organizational data.
  • Control 8.24 – Use of Cryptography
    Implementing cryptographic protections helps secure data on devices so that even if an asset is temporarily outside the organization’s direct control, the information remains protected until it is officially recovered.

Relevant Templates for Your Organization

The following templates can assist your organization in implementing a structured return-of-assets process:

  • Asset Return Checklist: A standardized list to verify all hardware, software licenses, and credentials are accounted for.
  • Data Transfer/Deletion Procedure: Detailed steps to securely move or remove organizational information from personal devices.
  • Exit Interview Template: A guide for ensuring valuable information, including knowledge and accounts, is documented and handed over before departure.

Templates on Your Website That Could Assist

Templates helps your organization adopt a consistent approach to classifying and handling data.

  • Information Classification Policy Template: Guides the creation of a formal policy.
  • Classification Matrix: Shows each classification level, associated handling rules, and access permissions.
  • Labeling Standards: Defines how to label electronic and physical documents.
  • Awareness Training Materials: PowerPoint decks or e-learning modules that teach employees about classification procedures.

Conclusion

ISO 27001 Control 5.11 – Return of Assets is an important component of a complete information security strategy. Via implementing structured procedures for retrieving physical devices, revoking digital access, and securing organizational data, your organization can reduce the risk of unauthorized disclosures and maintain compliance with internal policies and international standards. An effective return-of-assets program includes clear roles, well-documented processes, and regular audits to ensure all resources are accounted for and secured at the end of any professional relationship.

Control 5.10
ISO 27001 overview
Control 5.12