Security of Assets Off-Premises - ISO 27001 Annex A Control

ISO 27001 Annex A 7.9

Equipment outside the building still needs the protection it would have inside.

ISO 27001 Annex A 7.9 - Security of Assets Off-Premises

Modern operations rarely keep all equipment within the office walls. Laptops travel home, to client sites, to coffee shops and overseas. Mobile phones move with their owners. Equipment loaned for events, secondments or remote working can be off-site for extended periods. The control asks the organisation to extend protection to these assets rather than treating them as outside the security perimeter.

The protection comes in layers. Technical controls cover the device itself - encryption, multi-factor authentication, mobile device management, the ability to wipe remotely. Procedural controls cover handling - what staff can leave in cars, hotel rooms, and shared workspaces; what to do if a device is lost; how to report incidents quickly. Awareness training reinforces the practices.

The control links closely to remote working under A.6.7 but covers a wider scope. Off-premises assets includes equipment in transit, equipment loaned to third parties, equipment temporarily housed at client sites, and any other situation where the asset is outside the organisation's direct physical control. Each scenario needs to be considered in the policy.

The most common off-premises issue is the lost laptop in a public space - a cafe, a train, a hotel lobby. The technical controls usually hold up because the device is encrypted and locked, but the practical effect on the organisation comes down to how quickly the loss is reported and the remote wipe is triggered. Slow reporting turns a recoverable situation into a much harder one.

The audit test is whether the policy fits the actual working pattern. If staff routinely take equipment to coffee shops and the policy does not address it, that is a gap. If the policy says equipment must never leave the building but staff travel constantly, the policy has been overtaken by reality. The control needs to reflect how the organisation actually works.

Practical Compliance Guidance

Off-premises asset protection is described in the IMS1 manual at section 8.3 on IT equipment and section 8.5 alongside the Remote Working Policy. The equipment register tracks issued assets.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What technical protection is typically expected?

As a baseline: full disk encryption, multi-factor authentication for organisational systems, current patching and anti-malware, mobile device management with the ability to wipe remotely, and screen lock with short idle timeout. The combination protects against the most common off-premises risks - loss, theft, and unauthorised use of unattended equipment.

How should staff handle equipment in transit?

Equipment should stay with the user wherever practical, not in checked luggage on flights, not visible in cars, not left in hotel rooms unsecured. Where equipment must be left, hotel safes and locked cases reduce the risk. The policy should be specific about expectations for travel, particularly overnight stays and international travel.

What happens when a device is lost?

The reporting process under A.6.8 should kick in immediately. The remote wipe should be triggered. Access tokens, certificates and credentials associated with the device should be revoked. The incident should be assessed for personal data implications under A.5.34. Staff need to know that prompt reporting is welcomed and is the right thing to do regardless of how the loss occurred.

Further Resources