The basics
ISO 27001 control A.7.9 Security of assets off-premises requires companies to protect equipment and information used outside the organization’s premises. This is important to prevent unauthorized access to data in environments that are not controlled by the organization.
Documentation
ISO 27001 control A.7.9 Security of assets off-premises can be documented:
- for smaller and mid-sized companies by writing a Mobile Device and Teleworking Policy
- for larger companies by writing a Procedure for Security of Assets Off-Site.
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.7.9 Security of assets off-premises you might implement the following:
- Technology — the technology to enable the protection of assets off-premises may include software (e.g., data loss prevention software, authentication software, encryption, etc.), and hardware (secure cabinets, cable locks, etc.).
- Organization/processes — you should set up a process for defining requirements for the protection of assets off-premises, who is authorized to allow assets to be taken off-premises, and what users can and cannot do while handling assets off-premises. You can document those processes through a Mobile Device and Teleworking Policy or a Procedure for Security of Assets Off-Site.
- People — make employees aware of the risks related to assets taken out off-premises, and train them on how to properly handle assets off-premises.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.9 Security of assets off-premises: if equipment and information used outside the organization’s premises are protected.
