How to Audit ISO 27001 Annex A 5.11 Return of Assets

/ By
How to audit ISO 27001 Annex A 5.11

ISO 27001 Annex A 5.11 is a security control that mandates the return of all organizational assets by personnel and external parties upon termination of their employment, contract, or agreement. The primary implementation requirement involves formalizing offboarding workflows and inventories to ensure maximum data protection and asset recovery.

Auditing the return of assets ensures that an organisation protects its information by reclaiming physical hardware and intellectual property when personnel leave or change roles. This process requires a robust intersection of HR records, IT asset registers, and formalised de-provisioning workflows to prevent data leakage.

Inspect the Asset Register and Inventory Accuracy

  • Cross-reference the master asset register with current HR headcount to identify assets assigned to active versus leavers.
  • Validate that IAM roles and hardware IDs are uniquely mapped to specific individuals within the register.
  • Requirement: Provision an up-to-date inventory that includes serial numbers, physical locations, and asset classifications.

Review HR Termination and Offboarding Checklists

  • Examine a sample of offboarding records to ensure the “Return of Assets” workflow was triggered immediately upon notice.
  • Check for signed acknowledgement forms where employees confirm the return of all company-issued equipment.
  • Requirement: Formalise a checklist that includes laptops, mobile devices, security tokens, and physical keys.

Validate Physical Asset Recovery Procedures

  • Interview facilities or IT managers to verify the secure storage of returned hardware before it is redeployed or decommissioned.
  • Assess the Rules of Engagement (ROE) for remote staff, ensuring there is a documented courier or drop-off process for equipment recovery.
  • Requirement: Secure all recovered physical assets in a restricted area to prevent unauthorised access or tampering.

Audit Digital Access De-provisioning and Data Wipe Evidence

  • Verify that administrative access and cloud service accounts were revoked in alignment with the asset return.
  • Review certificates of destruction or data-wiping logs for devices intended for reuse or disposal.
  • Requirement: Revoke all logical access rights across SaaS and on-premise systems immediately upon the termination date.

Verify Intellectual Property and Knowledge Transfer Handover

  • Check that non-disclosure agreements (NDAs) and intellectual property clauses are reinforced during the exit interview.
  • Ensure that proprietary code, documentation, and internal wikis have been transitioned to a designated successor.
  • Requirement: Protect organisational knowledge by migrating data ownership from personal drives to centralised repositories.

Evaluate Exception Management for Retained Assets

  • Identify any instances where assets were retained by former employees and check for formal management authorisation.
  • Review the risk assessment for any delayed returns, particularly regarding sensitive data stored on those devices.
  • Requirement: Document all exceptions with a clear justification and a set deadline for the eventual return or disposal of the asset.

ISO 27001 Annex A 5.11 Audit Implementation Matrix

Audit Step How to Audit Common Evidence Examples
Inventory Verification Perform a “blind test” by selecting 10 leavers and checking if their assigned assets were returned in the register. Updated Asset Register, IT Ticketing Logs.
Policy Compliance Review the Asset Management Policy to ensure it explicitly defines the “Return of Assets” timeframe. Information Security Policy, Employee Handbook.
Physical Security Inspect the physical storage lockers where returned laptops are kept to ensure restricted access. Access Logs to IT Storage, Physical Security Tags.
Logical Access Sample the Active Directory or OKTA logs for leavers to ensure accounts are “Disabled” or “Deleted”. IAM De-provisioning Logs, SaaS User Lists.

Common SaaS and GRC Platform Audit Failures

Failure Point SaaS/GRC Platform Limitation Audit Risk
Physical Verification SaaS tools cannot verify if a physical laptop was actually handed back, only that a “task” was ticked. Non-compliance due to missing hardware that the system claims is “returned”.
False Green Status Automated API connectors often show a “green” status if an account is disabled, ignoring physical key or badge returns. Critical security gaps in physical perimeter control.
Lack of Contextual Evidence GRC platforms often store a simple “Yes/No” toggle rather than the signed handover document or courier receipt. Inability to provide “burden of proof” to an external auditor during a deep-dive.
Delayed Syncing API lag between HRIS and GRC platforms can hide the fact that an asset was unreturned for weeks. Unauthorised data access remains active longer than the policy allows.

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top