How to audit ISO 27001 Annex A 5.11

Introduction: More Than Just a Checklist

You might think ISO 27001 Annex A 5.11 Return of assets is just a simple HR task. However, as a lead auditor, I often see this become a major failure point during ISO 27001 audits. You need to view this control as more than a line on an off boarding list. It is a vital shield against security holes that open up when a trusted person leaves your organization.

If you slip up here, it can lead to data breaches, theft of ideas, and heavy fines. This is exactly what Annex A control 5.11 helps you prevent. It requires that staff and outside parties return all assets when their job or contract ends. Tools like hightable.io can help you streamline these workflows to ensure nothing slips through the cracks.

This control also applies when roles change internally. If an employee moves from finance to marketing, they must return their secure finance laptop. The asset must always match the role. If you understand this, you are on your way to a strong process and a passing grade.

Introduction: More Than Just a Checklist
The Why: Understanding the Value of Asset Returns
Building a Solid Foundation: The Six Pillars
The Audit in Action: What Auditors Look For
Handling Special Cases and High Risks
Top Three Audit Fails to Avoid
Conclusion: Creating a Culture of Accountability

The Why: Understanding the Value of Asset Returns

At its heart, Control A.5.11 protects your data’s privacy, accuracy, and availability. It tackles the risk of assets leaving your control while still holding your secrets. A strong return process stops risks that could cost you money and ruin your reputation.

Here are the main risks you are fighting:

Theft of Ideas: If you do not get assets back, you lose control of your best info. A lost USB drive with code or a laptop with research data is a huge failure. It gives your rivals a free edge.
Data Leaks: Laptops and files hold client data and trade secrets. If you fail to get them back, that data can leak out. This breaks trust with your customers.
Legal Trouble: A lost drive with customer data is a legal nightmare. It involves laws like the GDPR. If you fail to protect personal data, you could face huge fines.

This is a preventative control. Your goal is to stop a breach before it starts.

Building a Solid Foundation: The Six Pillars

I am not looking for a single document when I audit you. I want to see a full system that proves you control your assets from start to finish. This system rests on six pillars.

Asset Management Policy: This sets the tone. It defines your promise to manage assets securely.
Asset Management Process: This turns policy into action. It details how you track, assign, and return items.
Up-to-Date Asset Register: This is the most critical part. It is the one true list of what you own and who has it. If this is wrong, you cannot prove what needs to be returned. Platforms like hightable.io are excellent for maintaining this kind of dynamic inventory.
Rules for Acceptable Use: These are the rules you give staff on how to use company tools. It sets the standard from day one.
Legal Contracts: Your contracts must make returning assets a legal duty. Without this, your policy has no teeth.
HR Processes: This connects security to HR. When someone leaves or changes roles, it must trigger a security checklist every time.

Auditor’s Tip: These are not just papers for an audit. They must work together. If your register is wrong, your whole return process fails because you do not know what is missing.

The Audit in Action: What Auditors Look For

Auditors use evidence to see if your system works in real life. I am not here to just read a policy. I am here to see if it works. Here are the three things I will check.

The Leaver Process Check

I will ask for your HR procedure for people leaving. Then, I will pick a few people who left recently. I want to see proof for each one. I expect to see:

Proof that all physical items like laptops and badges were returned.
Proof that digital access was cut off quickly.
Proof that company data was wiped from personal devices, if needed.

If there is a gap for even one person, you fail this check.

The Asset Register and Physical Check

I will look at your asset register to see if it is current. Then, I will look at the physical world. I will ask, “Show me where you keep the returned laptops,” and “Who has the keys?”

I want to see locked cabinets or secure rooms. This proves that assets are safe even after they come back.

The Legal and Contractual Check

Finally, I will read your contracts. I will check employment and vendor agreements. I want to see clauses that demand the return of assets. I will also look for rules about deleting data from personal devices. If your contract misses this, it is a major issue.

Handling Special Cases and High Risks

A good process must handle more than just a normal exit. I will test you on tricky situations to see if your controls hold up.

Scenario	Challenge & Best Practice Solution
Bring Your Own Device (BYOD)	Challenge: You own the data, but not the device. You need proof the data is gone when they leave. Solution: You have two main options: Mobile Device Management (MDM): Use software to make a secure work folder on the phone. When they leave, you wipe just that folder remotely. The log proves it was done. Signed Promise: If you don’t use MDM, get a signed letter from the person. It must say they wiped all company data.
The Notice Period	Challenge: The time between giving notice and leaving is risky. They still have access and might take data. Solution: Start security steps the moment they give notice: Review their access and remove what they don’t need. Watch their data usage closely. Wipe remote devices before they ship them back. Swap their laptop for a basic one if the risk is high.

Scenario

Challenge & Best Practice Solution

Bring Your Own Device (BYOD)

Challenge: You own the data, but not the device. You need proof the data is gone when they leave.

Solution: You have two main options:

Mobile Device Management (MDM): Use software to make a secure work folder on the phone. When they leave, you wipe just that folder remotely. The log proves it was done.
Signed Promise: If you don’t use MDM, get a signed letter from the person. It must say they wiped all company data.

The Notice Period

Challenge: The time between giving notice and leaving is risky. They still have access and might take data.

Solution: Start security steps the moment they give notice:

Review their access and remove what they don’t need.
Watch their data usage closely.
Wipe remote devices before they ship them back.
Swap their laptop for a basic one if the risk is high.

Failing to manage these cases is a top cause of audit failure.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Top Three Audit Fails to Avoid

Even with a system, you can fail due to simple mistakes. Here are the three “killer mistakes” I see most often.

Outdated Asset Register

This is the most common error. I will check a person who left months ago. If the register says they had two monitors, but your return form only lists one, I will ask where the other one is. If you don’t know, it is a nonconformity. This shows your whole process is broken.

Insecure Asset Destruction

I call this the “server graveyard.” You might have a room full of old drives and laptops that you never threw away properly. This is a huge risk. You need a process to destroy old tech securely and a certificate to prove it.

Poor Document Control

I often find policies that don’t match. Your policy might be version 1.2, but it talks about a process document that is version 1.0. Or, I might find a policy that no one has reviewed in a year. You must review and update your documents to prove your system is alive.

Conclusion: Creating a Culture of Accountability

Annex A 5.11 is not just a form you fill out when someone quits. It is a full system. You need clear documents, a solid paper trail, and a plan for risky cases. Using modern tools like hightable.io can help you maintain this system effectively.

The goal is to move past just following rules. You want true security. The real test is not just what you get back on the last day. It is how well you manage the risk in the final weeks. If you can control that, you are truly secure.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Audit ISO 27001 Annex A 5.11: A Practical Guide to Return of Assets