top of page

ISO 27001 Control 7.9: Security of Assets Off-Premises

Writer's picture: Alan ParkerAlan Parker

Protecting Organisational Resources Beyond the Workplace


Introduction


As organisations increasingly rely on mobile and remote work environments, protecting assets used off-premises has become a critical aspect of information security. Devices and equipment that store or process organisational information outside of traditional office environments are subject to unique risks, such as theft, loss, damage, or compromise. Robust policies and practices ensure these assets remain secure and operational.


Purpose of Securing Off-Premises Assets

The primary objective of protecting off-site assets is to prevent loss, damage, theft, or compromise of information and devices, while also minimising disruptions to organisational operations. This includes safeguarding both organisation-owned devices and privately-owned devices used for organisational purposes, such as through Bring Your Own Device (BYOD) arrangements.


Key Guidelines for Protecting Off-Premises Devices

  1. Avoid Unattended or Unsecured Locations

    • Do not leave equipment or storage media unattended in public or unsecured places. Always store devices in secure locations when not in use.

  2. Adhere to Manufacturer’s Instructions

    • Follow manufacturer guidelines for protecting devices from environmental threats, such as electromagnetic fields, water, heat, humidity, and dust. This ensures the longevity and reliability of the equipment.

  3. Maintain a Chain of Custody

    • When transferring off-premises equipment between individuals or interested parties, maintain a detailed log that records the chain of custody. Include the names and organisations of responsible parties.

    • Before transferring devices, securely delete any unnecessary information to reduce potential risks.

  4. Authorise and Track Asset Removal

    • Require management authorisation for the removal of equipment or media from organisational premises. Keep a record of such removals to maintain an audit trail.

  5. Mitigate Shoulder Surfing Risks

    • Implement measures to protect sensitive information displayed on devices in public settings, such as on public transport. Privacy screens and user awareness are key defences against shoulder surfing.

  6. Enable Location Tracking and Remote Wiping

    • Use location tracking to monitor the whereabouts of organisational devices.

    • Implement remote wiping capabilities to delete sensitive data if a device is lost or stolen.


Special Considerations for Permanent Off-Site Equipment

Some equipment, such as antennas or automated teller machines (ATMs), may be permanently installed outside organisational premises. These assets face higher risks, including damage, theft, or eavesdropping.


The following measures should be implemented:


  1. Physical Security Monitoring

    • Deploy monitoring systems, such as CCTV or intrusion detection, to oversee physical security (refer to section 7.4).

  2. Protection Against Physical and Environmental Threats

    • Address risks such as vandalism, weather conditions, or electrical issues by implementing appropriate safeguards (refer to section 7.5).

  3. Physical Access and Tamper-Proofing Controls

    • Use tamper-proof mechanisms and restrict physical access to equipment through secure enclosures or locks.

  4. Logical Access Controls

    • Apply logical controls, such as strong authentication and encryption, to ensure only authorised individuals can access equipment and its data.


Supporting Policies and Procedures

  • Develop clear policies outlining the use and security of off-premises assets.

  • Provide training and awareness programmes to ensure personnel understand their responsibilities when using organisational assets outside the workplace.

  • Regularly review and update off-premises security measures to adapt to emerging threats and operational needs.


Key Concepts and Domains

  • Control Type: Preventive

  • Security Properties: Confidentiality, Integrity, Availability

  • Cybersecurity Concepts: Protection

  • Operational Capabilities: Physical Security, Asset Management


Conclusion

Securing organisational assets off-premises is essential for maintaining the integrity and continuity of operations. By implementing robust controls, such as chain-of-custody tracking, environmental protection measures, and remote wiping capabilities, organisations can reduce the risks associated with off-site assets.


A proactive approach to securing devices and permanent equipment outside organisational premises not only protects valuable resources but also reinforces trust in the organisation’s ability to manage information securely across diverse environments.

Comentarios

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page