In this ultimate how to audit guide to ISO 27001 Annex A 5.11 Return of Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 6 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- Inspect the Asset Register and Inventory Accuracy
- Review HR Termination and Offboarding Checklists
- Validate Physical Asset Recovery Procedures
- Audit Digital Access De-provisioning and Data Wipe Evidence
- Verify Intellectual Property and Knowledge Transfer Handover
- Evaluate Exception Management for Retained Assets
- ISO 27001 Annex A 5.11 Audit Implementation Matrix
- Common SaaS and GRC Platform Audit Failures
ISO 27001 Annex A 5.11 is a security control that mandates the return of all organisational assets by personnel and external parties upon termination of their employment, contract, or agreement. The primary implementation requirement involves formalising off boarding workflows and inventories to ensure maximum data protection and asset recovery.
Auditing the return of assets ensures that an organisation protects its information by reclaiming physical hardware and intellectual property when personnel leave or change roles. This process requires a robust intersection of HR records, IT asset registers, and formalised de-provisioning workflows to prevent data leakage.
Inspect the Asset Register and Inventory Accuracy
- Cross-reference the master asset register with current HR headcount to identify assets assigned to active versus leavers.
- Validate that IAM roles and hardware IDs are uniquely mapped to specific individuals within the register.
- Requirement: Provision an up-to-date inventory that includes serial numbers, physical locations, and asset classifications.
Review HR Termination and Offboarding Checklists
- Examine a sample of offboarding records to ensure the “Return of Assets” workflow was triggered immediately upon notice.
- Check for signed acknowledgement forms where employees confirm the return of all company-issued equipment.
- Requirement: Formalise a checklist that includes laptops, mobile devices, security tokens, and physical keys.
Validate Physical Asset Recovery Procedures
- Interview facilities or IT managers to verify the secure storage of returned hardware before it is redeployed or decommissioned.
- Assess the Rules of Engagement (ROE) for remote staff, ensuring there is a documented courier or drop-off process for equipment recovery.
- Requirement: Secure all recovered physical assets in a restricted area to prevent unauthorised access or tampering.
Audit Digital Access De-provisioning and Data Wipe Evidence
- Verify that administrative access and cloud service accounts were revoked in alignment with the asset return.
- Review certificates of destruction or data-wiping logs for devices intended for reuse or disposal.
- Requirement: Revoke all logical access rights across SaaS and on-premise systems immediately upon the termination date.
