Return of Assets - ISO 27001 Annex A Control
ISO 27001 Annex A 5.11
When someone leaves the organisation, the assets need to come back.
ISO 27001 Annex A 5.11 - Return of Assets
The control is the practical end of the joiner-mover-leaver process. When someone leaves the organisation or changes role, the assets they hold need to come back. That means physical equipment, access cards, mobile devices, removable media, paper records, and any company information stored on personal devices or systems.
Without a defined return process, assets walk out of the door. Laptops disappear, access cards stay active, files remain on personal devices long after employment ends. Each one is a residual risk that the organisation no longer has visibility of.
The return process needs to be linked to the assets register and to the user account management process. Knowing what someone has been issued is the starting point for knowing what to recover. Knowing what access they had is the starting point for knowing what to revoke.
Return of assets is one of those things that gets forgotten in the rush of someone leaving. The sensible answer is a checklist as part of the leaver process - everything they were issued, with a tick alongside each item as it comes back. Keep the checklist on file. Anything missing gets escalated.
Practical Compliance Guidance
The return of assets process is described in the IMS1 manual at section 3.1 on management of staff and personnel, including the staff leaving procedure. Asset management is supported by the assets register and the IT equipment register.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists. |
| ER10 IT Equipment Logins Register | Records IT equipment and login accounts issued to staff. Use as the starting point for the return checklist when someone leaves or changes role. |
Note - all the above files can be downloaded with an alphaZ subscription.
