ISO 27001 Control 5.11 Return of Assets

Learn how to implement ISO 27001 Control 5.11 Return of Assets. Read my overview and guidance now.

ISO 27001 Control 5.11 Return of Assets

Ensuring the Secure Return of Organisational Assets

Properly managing organisational assets during employment, contracts, or agreements is essential to maintaining information security. This is where ISO 27001 control 5.11 comes in – Return of Assets.

Ensuring that all assets are returned during role transitions, such as employment termination or contract completion, helps safeguard organisational resources and mitigates risks of unauthorised access or data breaches.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

The Importance of Returning Organisational Assets

The primary purpose of a robust asset return process is to:

Key Steps in the Asset Return Process

A formalised approach to asset return ensures consistency and security. Here are the critical components:

1. Establishing Clear Procedures

  • Define and document formal procedures for returning all organisational assets.
  • Apply these procedures consistently across departments and roles.

2. Managing Personal and Organisational Equipment

  • For organisational equipment used by personnel:
    • Ensure all relevant data is securely transferred to the organisation.
    • Verify that sensitive information is securely deleted from personal devices (refer to Section 7.14).

3. Capturing Critical Knowledge

  • Document and transfer essential operational knowledge from departing personnel to ensure business continuity.
  • Implement secure processes to safeguard intellectual property.

4. Preventing Unauthorised Access

  • During notice periods, apply controls to prevent unauthorised duplication or transfer of sensitive information, including intellectual property.

Assets to Be Returned

The organisation should maintain a clear inventory of assets to be returned, which may include:

  • User Endpoint Devices: Such as laptops, desktops, smartphones, and tablets.
  • Portable Storage Devices: Including USB drives, external hard drives, and SD cards.
  • Specialist Equipment: Such as industry-specific tools and hardware.
  • Authentication Hardware: Keys, tokens, smartcards, and other access control devices.
  • Physical Information: Paper files, printed documents, and archived materials.

Addressing Challenges and Mitigating Risks

1. Handling Data on Personal Devices

  • For data stored on non-organisational devices:
    • Restrict access using rights management systems (refer to Section 5.18).
    • Employ cryptographic measures to secure sensitive information (refer to Section 8.24).

2. Ensuring Secure Data Transfers

  • Develop clear protocols for securely transferring critical data to organisational systems.
  • Use reliable and secure methods to erase data from non-organisational devices post-transfer.

Best Practices for Asset Management During Transitions

To streamline asset return processes and enhance security, organisations should:

  • Maintain an Asset Inventory: Keep detailed, up-to-date records of all assigned assets.
  • Educate Employees: Train staff and contractors on their responsibilities regarding asset return.
  • Conduct Regular Audits: Monitor the effectiveness of asset return processes and identify areas for improvement.
  • Communicate Clearly: Provide departing personnel with a detailed checklist of items to return, along with defined timelines.

FAQs

What is the aim of Control 5.11 in ISO 27001?

The goal is to ensure that all assets provided to employees, contractors, or third parties (like laptops, ID badges, mobile devices, or data) are returned when they leave the organisation or change roles. This prevents unauthorised access or data loss.

What counts as an “asset” under this control?

Assets include both:

Physical items: laptops, access cards, USB drives, phones
– Information assets: confidential documents, intellectual property, client data
– Also includes software licenses and user accounts that must be deactivated

When should the return of assets process be triggered?

Asset return should be part of:

Offboarding procedures (employee exits)
– Role or department changes
– Contractor or supplier disengagements

It should be tracked and documented to ensure nothing is missed.

How do we ensure all assets are returned properly?

Implement a return checklist during offboarding that:

– Lists all assigned assets
– Requires formal sign-off when items are returned
– Includes steps to revoke access rights and recover data from devices

Why is this control important for security and compliance?

Failing to recover assets can lead to:

– Unauthorised access to systems or data
– Data breaches if devices are lost or misused
Non-compliance with GDPR or contractual requirements

It also helps maintain asset inventory accuracy.

Conclusion

Implementing a well-structured and consistent asset return process is key to protecting organisational resources during transitions. With ISO 27001 control 5.11, by formalising procedures, maintaining comprehensive records, and applying robust security controls, organisations can mitigate risks and ensure the integrity of their operations.

Previous post

ISO 27001 Control 5.10 Acceptable Use of Information and Other Associated Assets

NEXT post

ISO 27001 Control 5.13 Labelling of information

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG