ISO 27001 Annex A Control 5.11

ISO 27001 control 5.11 Return of assets

The basics

ISO 27001 control A.5.11 Return of assets requires companies to ensure that all assets in possession of employees or other interested parties are returned to the organizations when the relationship between these persons and the organization is over. This way, the company ensures that access to the information and assets will be available only to people who are actively working for the company.

Documentation

ISO 27001 control A.5.11 Return of assets can be documented by writing:

  • Supplier Security Policy to define how information assets that are in possession of suppliers and partners must be returned.
  • Smaller and mid-size companies might have IT Security Policy or Acceptable Use Policy to define how information assets in possession of employees must be returned.
  • Larger companies might have a separate Procedure for Return of Assets.

These policies are not mandatory documents but are recommended for all companies.

Implementation

In order to comply with control A.5.11 Return of assets you might implement the following:

  • Technology — the technology to enable the return of assets may vary from electronic spreadsheets used by small organizations to record asset status, to online systems used by bigger organizations to track in real-time the assets’ location in a shared way.
  • Organization/processes — you should set up a process for defining how information assets that are in possession of suppliers, partners, or employees must be returned. You can document those processes through an IT Security Policy, Acceptable Use Policy, Supplier Security Policy, or a general Procedure for Return of Assets.
  • People — make employees aware of why ensuring assets are returned is needed, and train them on how to request and return the assets.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.11 Return of assets: if assets possessed by employees or 3rd parties are returned to the organization when the relationship between these persons and the organization is over.