Buy the 27001 Toolkit

ISO 27001 Control 7.9: Security of Assets Off-Premises

How to Keep Laptops, Devices and Remote Kit Safe in the Real World

ISO 27001 Control 7.9 Security of assets off-premises recognises a simple reality: a lot of your important information no longer lives quietly in a locked server room.

It’s on laptops in coffee shops, mobiles on trains, tablets in client meetings, and equipment permanently installed at customer or third-party sites. Once assets leave your building, the risks change: theft, loss, shoulder surfing, tampering, dodgy Wi-Fi, and rough physical environments.

This control asks you to treat off-premises assets deliberately, not as an afterthought – with clear rules, technical safeguards and basic physical discipline.

This guide walks through what ISO 27001 Control 7.9 is really asking for, and how to put practical controls in place for laptops, phones, BYOD, and permanently installed off-site equipment.

What ISO 27001 Control 7.9 Actually Requires

In plain English, ISO 27001 Control 7.9 – Security of assets off-premises expects you to:

  • Recognise which assets regularly leave your premises (laptops, phones, tablets, removable media, kit installed at remote sites).
  • Protect those assets against loss, theft, damage and compromise when they’re off-site.
  • Control and record who takes what, where and why when equipment leaves the office.
  • Apply appropriate technical safeguards (encryption, remote wipe, strong authentication, tracking).
  • Put extra protections around permanently off-site equipment, such as antennas, kiosks, ATMs or field devices.

It applies to:

  • Organisation-owned devices taken off-site
  • Privately-owned devices used for work (BYOD), where you allow it
  • Fixed equipment in public or semi-public areas that you don’t physically control day-to-day

The main idea: if an asset can leave your building, ISO 27001 Control 7.9 wants you to assume it will one day be lost, stolen or tampered with – and design your controls accordingly.

Step 1 – Decide Which Off-Premises Assets Are in Scope

Start by getting clear on what “assets off-premises” means in your environment.

Typical examples for ISO 27001 Control 7.9:

  • Portable devices
    – Laptops and tablets
    – Smartphones and company mobiles
    – Portable POS terminals, handheld scanners
  • Removable storage
    – USB sticks, external drives, memory cards
    – Backup media taken off-site (for DR)
  • Home and remote setups
    – Equipment installed in home offices
    – Dedicated kit at client premises (e.g. secure workstations, data collection nodes)
  • Permanently off-site devices
    – Antennas, kiosks, vending or self-service terminals
    – ATMs or smart devices tied into your services
    – Field equipment with embedded processing or storage

Once you’ve identified these, you can build specific rules and controls for each asset type under ISO 27001 Control 7.9 rather than a vague “be careful with laptops” statement.

Step 2 – Set Behavioural Rules for Using Assets Off-Premises

Before you get into tech, set simple behavioural expectations for anyone taking equipment off-site. ISO 27001 Control 7.9 is much stronger when staff know exactly what is and isn’t acceptable.

Key points to cover:

  • No leaving kit unattended in public
    – Don’t walk away from a laptop on a train table “just for a minute”.
    – Don’t leave devices visible in parked cars, hotel lobbies, or shared spaces.
  • Secure storage when not in use
    – At home: devices stored out of sight, and ideally in a lockable room or cabinet.
    – In hotels: use the room safe where possible, not just a desk or bedside table.
    – At client sites: follow the stricter of your policy and theirs.
  • Careful handling
    – Follow manufacturer guidelines for heat, moisture, shock and general handling.
    – Don’t expose devices to conditions that obviously risk damage.
  • Incidents must be reported quickly
    – Lost or stolen devices, signs of tampering, or suspicious behaviour should be reported immediately, not “after the trip”.

Write this into a topic-specific policy for security of assets off-premises and link it explicitly to ISO 27001 Control 7.9.

Step 3 – Control and Record Removal of Equipment and Media

ISO 27001 Control 7.9 expects some level of authorisation and tracking when equipment or media leaves your premises.

You don’t necessarily need a full-blown sign-out desk for every laptop, but you should be able to answer “who is responsible for this device right now?” and “when did it leave?”.

Good practices:

  • Authorised removal
    – Require line manager or system owner approval for permanent or long-term removal of equipment.
    – For day-to-day laptop use, treat allocation records (asset register + user assignment) as your baseline authorisation.
  • Simple audit trail
    – Keep an asset register that shows:
    • Device ID / serial number
    • Assigned user or custodian
    • Off-site status (e.g. “permanently assigned remote worker”, “issued to field engineer”, “installed at Client ABC”)
      – For shared equipment or media, maintain a sign-in/out log or ticket record.
  • Chain of custody for transfers
    – When assets change hands (between employees, contractors, or organisations), record:
    • Who transferred it, who received it, when, and for what purpose
      – Wipe or remove unnecessary data before transfer.

This gives you the accountability ISO 27001 Control 7.9 is looking for if something goes wrong.

Step 4 – Reduce Exposure of Data in Public Places

One of the most visible risks for off-premises assets is shoulder surfing – someone nearby casually reading your screen.

To address this under ISO 27001 Control 7.9:

  • Use privacy screens where appropriate
    – Fit privacy filters to laptops used regularly on public transport or in public spaces.
    – Consider them for highly sensitive roles (finance, HR, legal, senior leadership) even in internal open-plan areas.
  • Think about seating choices
    – Sit with your back to a wall where possible, not facing into a busy room.
    – Avoid working on sensitive items in crowded spaces unless absolutely necessary.
  • Be smart with screen content
    – Avoid displaying full personal details or sensitive dashboards in public.
    – Use anonymised views or partial data versions where you must present or work on the move.
  • Lock screens proactively
    – Even if a device is in your hands, make screen locking a reflex when you look away or pause.

This is where ISO 27001 Control 7.9 overlaps nicely with clear screen and access control – the same ideas, extended to trains, cafés and customer sites.

Step 5 – Use Strong Technical Controls on Off-Premises Devices

Behaviour matters, but ISO 27001 Control 7.9 really expects you to assume devices will be lost or stolen and rely on technical safeguards to protect the information.

Core controls:

  • Encryption by default
    – Full-disk encryption for laptops, tablets and, if possible, mobiles.
    – Encrypted containers or volumes where full-disk encryption isn’t available.
  • Strong authentication
    – Unique user accounts with strong passwords or passphrases.
    – Multi-factor authentication for access to sensitive systems and data.
    – No shared accounts for off-premises use.
  • Remote management (via MDM or equivalent)
    – Ability to enforce security settings (encryption, screen lock, OS updates).
    – Ability to remotely lock or wipe lost or stolen devices.
    – Ability to track last known location where lawful and appropriate.
  • Secure network access
    – VPN or secure remote access for connecting back to internal systems.
    – Clear guidance not to use unsecured public Wi-Fi without appropriate protections.
  • Local data minimisation
    – Limit the amount of sensitive data stored locally on off-premises devices.
    – Use virtual desktops or browser-based apps where suitable, so data lives primarily in controlled environments.

If a device goes missing and you can show it was encrypted, locked down and remote-wipe capable, you’re in a much stronger position under ISO 27001 Control 7.9 (and, often, under data protection law as well).

Step 6 – Address BYOD (Bring Your Own Device) Explicitly

If you allow staff to use personal devices for work, ISO 27001 Control 7.9 absolutely applies – and the risk can be higher, because you don’t fully control the hardware.

You should either:

  • Formally prohibit BYOD for anything beyond low-risk tasks, or
  • Implement a specific BYOD policy and technical framework that covers:
    • Minimum security requirements (PINs, encryption, OS version, no jailbroken/rooted devices).
    • Use of a managed app or container to separate work and personal data.
    • Right to remotely wipe the work container if the device is lost, stolen or the person leaves.
    • Clear boundaries on what IT can and cannot see on personal devices.

Be explicit: if you choose to allow BYOD, you are choosing to extend ISO 27001 Control 7.9 into people’s pockets and homes – so the rules need to be watertight and clearly communicated.

Step 7 – Protect Permanently Off-Site Equipment

ISO 27001 Control 7.9 also covers equipment that is installed off-premises permanently, often in public or semi-public locations – for example:

  • Antennas or network nodes on masts or rooftops
  • ATMs or kiosks
  • Field monitoring devices, sensors, or controllers at remote sites
  • Customer-site hardware you own and manage

These assets face a different risk profile: tampering, vandalism, environmental damage, and eavesdropping.

For ISO 27001 Control 7.9, consider:

  • Physical protection
    – Strong, tamper-resistant enclosures and brackets.
    – Locks on cabinets and housings; restricted physical access.
    – Design that makes casual tampering obvious (tamper-evident seals, switches or indicators).
  • Monitoring and surveillance
    – CCTV or remote monitoring where justified.
    – Alerts for cabinet open events, power loss, or unexpected reboots.
  • Environmental hardening
    – Protection against weather, temperature extremes, dust and moisture.
    – Surge protection and, where needed, local UPS or conditioning.
  • Logical controls
    – Strong authentication for local and remote access.
    – Encrypted communications back to your systems.
    – Minimal data stored locally – and encrypted if it must be.

The important thing is that you can show you’ve treated permanently off-site equipment as deliberately as you would internal kit, just in a different context.

Step 8 – Train People and Keep Off-Premises Controls Current

Finally, ISO 27001 Control 7.9 works best when staff understand why the rules exist and what good off-premises behaviour looks like.

You should:

  • Provide targeted training
    – Short, practical modules for anyone using laptops, phones or tablets off-site.
    – Real examples of what can go wrong: lost devices, shoulder surfing, theft from cars, compromised hotel Wi-Fi.
  • Make responsibilities clear
    – What users must do if a device is lost, stolen or tampered with.
    – How to handle off-site documents and removable media.
    – What’s allowed and not allowed on personal devices, if BYOD is in play.
  • Review and adapt controls
    – As your remote working patterns change, revisit your approach to security of assets off-premises.
    – Update your policy and technical controls when you adopt new tools (e.g. MDM, new collaboration platforms).

This demonstrates that security of assets off-premises under ISO 27001 Control 7.9 is living practice, not a static policy written once.

Quick Implementation Checklist for ISO 27001 Control 7.9

Use this checklist to gauge where you stand:

  • ISO 27001 Control 7.9 (Security of assets off-premises) is covered in a topic-specific policy.
  • You have identified which assets regularly leave your premises (laptops, mobiles, media, fixed off-site kit).
  • Staff are given clear rules about not leaving devices unattended and how to store them securely off-site.
  • Equipment removal is authorised and recorded (asset register, allocation records, or sign-out logs).
  • Sensitive information on off-premises devices is protected by encryption and strong authentication.
  • Devices are remotely manageable, with the ability to lock, track and wipe where appropriate.
  • Measures exist to reduce shoulder surfing and visual exposure in public places (privacy screens, awareness).
  • BYOD is either prohibited or controlled via a formal BYOD policy and technical safeguards.
  • Permanently off-site equipment is protected with appropriate physical, environmental, monitoring and logical controls.
  • Training and awareness explicitly cover security of assets off-premises, and controls are reviewed regularly.

Bringing It All Together

ISO 27001 Control 7.9 – Security of assets off-premises – is about accepting that your information is no longer tied to your buildings, and making sure your security thinking isn’t either.

If you:

  • Know which assets leave your premises,
  • Set clear behavioural rules for how they’re used,
  • Back those rules with strong technical safeguards, and
  • Treat permanently off-site kit as a first-class part of your environment,

you’ll greatly reduce the risk of data loss, theft and compromise when work happens in the real world – and you’ll have exactly the kind of structured, evidence-based approach auditors look for under ISO 27001 Control 7.9.

Explore the ISO 27001 Controls

Overview
Organisational
Controls (5.1 to 5.37)
People
Controls (6.1 to 6.8)
Physical
Controls (7.1 to 7.14)
Technological
Controls (8.1 to 8.34)
Full Control List

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG