Introduction: The Critical Importance of Getting Your Assets Back
What is the biggest security vulnerability your organisation faces when a trusted person leaves? You might be busy disabling their badge access, but the real danger is often walking out the door in a briefcase. Failing to manage the return of assets is a boring but critical gap that keeps security leaders awake at night. It might seem like a simple admin task, but it is actually a vital security control.
The ISO 27001:2022 standard addresses this in ISO 27001 Annex A 5.11 Return of assets. The rule is simple:
“Personnel and other interested parties as appropriate should return all the organisation’s assets in their possession upon change or termination of their employment, contract or agreement.”
This control is not just for when people quit. It also applies to internal changes. For example, imagine an employee moves from a sensitive finance role to a marketing job. Their access needs change. You must take back the finance laptop with its privileged access. You must reallocate assets to match their new role. If you fail to do this, you create serious vulnerabilities.
This guide will show you the risks of unreturned assets. It will also give you a plan to build a compliant framework and help you pass your audit.
Table of contents
- Introduction: The Critical Importance of Getting Your Assets Back
- Why It Matters: Analysing the Risks
- The Foundational Ecosystem: Building a Framework
- The Practical Blueprint: A Step-by-Step Guide
- Passing the Audit: How to Demonstrate Compliance
- Avoiding Common Pitfalls
- Conclusion: Mastering the Full Lifecycle
Why It Matters: Analysing the Risks
A strong process for asset returns is more than just housekeeping. It is a tool to stop data breaches and theft before they happen. Its main goal is to protect your most valuable information. This includes client data, trade secrets, and source code.
When you do not get an asset back, you lose control over the information inside it. This can lead to serious trouble.
- Compromise of Security Principles: Information security stands on three pillars: Confidentiality, Integrity, and Availability. A single forgotten USB drive can break all three. Confidentiality breaks because the data is out of your hands. Integrity is at risk because the data could be changed. Availability is lost because you no longer have the secure copy.
- Legal Issues: If you lose an asset holding personal data, you face legal risks. If that data is exposed, you could face fines and lawsuits for failing to protect it.
- Unauthorised Access: Every missing laptop or access card is a key to your kingdom. If you fail to recover them, you are leaving the door unlocked for hackers.
The Foundational Ecosystem: Building a Framework
To comply with ISO 27001, you need more than a single policy document. You need a system where processes and records work together. When an auditor looks at Annex A 5.11, they check your whole framework. You need these six pillars to build a compliant system.
Asset Management Policy
This is your main governance document. It sets the rules for how you manage assets from the moment you buy them until you throw them away. It shows that your leadership cares about protecting company property.
Asset Management Process
The policy says what you will do. The process document says how you will do it. This is the operational guide your team follows day by day.
Up-to-Date Asset Register
This register is the heart of your framework. It records what each asset is, who has it, and its status. If you do not have an accurate register, you do not know what to ask for when someone leaves. An outdated register is an instant failure during an audit. Using a platform like hightable.io can help you maintain a dynamic and accurate single source of truth for your assets.
Rules for Acceptable Use
You must set ground rules for how people use equipment. You cannot enforce rules for returning items if you never told people how to treat them in the first place.
Legally Sound Contracts
Policies need legal backing. Your contracts for employees and vendors must say they have to return assets. They must also agree to delete company data when they leave. This gives your policy real power.
HR Process for Leavers
Your HR department triggers this system. When HR processes a person leaving, they must tell the security team immediately. This ensures you apply the process every single time.
The Practical Blueprint: A Step-by-Step Guide
A good process manages risk throughout the whole departure period. You must be proactive, not reactive.
Securing the Notice Period
The time between an employee giving notice and their last day is risky. The moment they resign, your security approach must change.
- Review Access: Reduce their system privileges immediately. Only give them access to what they need to finish their work.
- Monitor Activity: Watch their network activity closely. Look for large downloads or strange transfers.
- Control Assets: If the role is high risk, take their main device immediately. Give them a clean loaner device to finish their final tasks.
Managing Physical Returns
You need a formal process for the physical return of hardware.
- Secure Transport: Use a trackable shipping service for remote workers. You need to know where the device is.
- Remote Wipe: This is the best way to lower risk. Wipe the device remotely before the employee ships it back. If it gets lost in the mail, you only lose the hardware, not the data.
- Secure Storage: Keep returned assets in a locked room or cabinet. Do not leave them lying around.
The Bring-Your-Own-Device (BYOD) Challenge
BYOD is tricky because you own the data, but not the phone or laptop. You cannot ask for the phone back, but you must ensure your data is gone. Here are two ways to handle this.
| Method | Description & Auditor Evidence |
|---|---|
| Technical Control (MDM) | The best practice is to use Mobile Device Management (MDM) software. This creates a secure container on a personal phone. When the person leaves, you wipe only the company container. Evidence: The MDM log showing the wipe command was successful. |
| Administrative Control | If you do not use MDM, you must rely on a signed document. The person signs a form confirming they deleted all company data. Evidence: The signed attestation form. |
A signed paper is a weak control compared to a technical wipe. Relying only on a signature means you accept a higher level of risk.
Passing the Audit: How to Demonstrate Compliance
An auditor wants to see that your system works in real life. To test this control, they will look at three main areas.
The Leaver Process Check
I will ask for your leaver procedure. Then, I will pick a random sample of people who left in the last year. You must show me the evidence trail for each one. I need to see that physical assets were returned and digital access was cut. If I find a gap for even one person, I will raise an issue.
The Asset Register Check
I will check if your register is messy. I look for assets assigned to people who left months ago. This is where tools like hightable.io prove their worth by keeping records tidy. I will also ask to see the physical assets. If the list says a laptop is in the cupboard, I want to see it in the cupboard.
The Legal Check
I will check your contracts. I need to see clauses that demand the return of assets and deletion of data. If your contract misses this clause for BYOD users, you have a major gap.
Avoiding Common Pitfalls
Even with a good plan, you can fail if you lack discipline. These are the top three mistakes to avoid.
- Outdated Asset Register: This is the most common failure. If a leaver returns one monitor but the register says they had two, you have a problem. You must know exactly what they have.
- Insecure Storage: Do not let old hardware pile up in open rooms. This is a “server graveyard.” It creates a data risk because nobody knows what is on those drives.
- Poor Version Control: Do not let your documents die. If your policy refers to an old process that does not exist anymore, it shows a lack of governance.
Conclusion: Mastering the Full Lifecycle
ISO 27001 Annex A 5.11 is not flashy, but it is vital. Getting it right prevents data loss and helps you pass your audit. Effective asset protection is not a single event on the last day of work. It is a constant process.
When I audit this, I look closely at the notice period. How well do you handle risk when an employee is about to leave? If you can control that final window effectively, you prove your security maturity. That is how you stop leaks before they happen.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
