Implementing ISO 27001 Annex A 5.11 is the formal execution of asset recovery procedures to ensure all organisational assets, including hardware, software licenses, and physical keys are returned and verified upon termination. It mandates a chain of custody and cryptographic data sanitisation to prevent data leakage and unauthorised access post-employment.
ISO 27001 Annex A Return of assets Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.11. Compliance with this control requires a physical and digital chain of custody, ensuring assets are actually returned, verified, and sanitized, rather than simply marking a checkbox in a portal.
1. Integrate HR Termination Triggers with IT
Control Requirement: A defined process must exist to initiate the return of assets upon termination.
Required Implementation Step: Configure your HR system (e.g., BambooHR, Workday) to send an automated critical alert to the IT Service Desk ticket queue exactly 14 days before an employee’s final date. Do not rely on manual emails from line managers, which are frequently forgotten until after the employee has left the building.
Minimum Requirement: A documented automated workflow proving IT is notified of leavers in advance.
2. Generate the Individual Asset Manifest
Control Requirement: All assets in possession of the terminating employee must be identified.
Required Implementation Step: Open your Master Asset Register (created in Annex A 5.9). Filter by the leaver’s name and export a specific list of every hardware device (laptop, mobile, monitor), peripheral, and physical key assigned to them. Print this list to serve as the physical return checklist.
Minimum Requirement: A generated “Asset Return Schedule” listing specific serial numbers for the leaver.
3. Execute Remote Device Locking (MDM)
Control Requirement: Prevent data exfiltration during the notice period.
Required Implementation Step: On the employee’s final minute of employment, log into your Mobile Device Management (MDM) console (e.g., Intune, Jamf). Execute a “Lock” or “Selective Wipe” command on their corporate devices. This prevents the “I forgot to return it” scenario from becoming a data breach risk.
Minimum Requirement: System logs showing the remote lock command was issued at the termination time.
4. Manage Physical Logistics for Remote Leavers
Control Requirement: Assets must be physically returned.
Required Implementation Step: For remote workers, pre-pay for a courier collection service. Send a specialized “IT Return Box” with protective foam and a pre-printed shipping label to their home address 3 days before their last day. Do not ask the employee to pay for postage and expense it; make the return frictionless.
Minimum Requirement: Tracking numbers for the courier collection of remote hardware.
5. Revoke Shadow IT and OAuth Tokens
Control Requirement: Associated assets (logical access) must be returned/revoked.
Required Implementation Step: Simply disabling an email account is insufficient. You must manually revoke active OAuth tokens and API keys in critical SaaS platforms (e.g., Salesforce, AWS, GitHub). An active session token can allow access long after the password has been changed.
Minimum Requirement: A “Session Revocation” log for critical cloud platforms.
6. Verify Physical Integrity and Serial Numbers
Control Requirement: Verification that the correct asset has been returned.
Required Implementation Step: When the hardware arrives, IT staff must physically inspect the serial number against the manifest from Step 2. Check for signs of tampering (e.g., opened screws, swapped hard drives). Document the condition (Grade A/B/C) to determine if the asset can be redeployed.
Minimum Requirement: A signed “Goods In” receipt matching the asset tag to the serial number.
7. Perform Cryptographic Sanitization (Data Wiping)
Control Requirement: Information on returned assets must be wiped.
Required Implementation Step: Before re-stocking the device, boot it and perform a secure wipe (e.g., NIST 800-88 Purge). If the drive is encrypted with BitLocker/FileVault, rotating the encryption key and destroying the old one is an acceptable rapid wipe method. Re-image the machine with the standard corporate image immediately.
Minimum Requirement: A “Certificate of Sanitization” or re-imaging log for the specific device.
8. Recover Physical Access Tokens
Control Requirement: Access to physical premises must be revoked.
Required Implementation Step: Demand the return of physical entry fobs and server room keys. If a physical key is lost, you must re-key the relevant locks. For electronic fobs, deactivate the specific card ID in the door access system immediately upon termination.
Minimum Requirement: Log from the Physical Access Control System (PACS) showing the badge deactivation.
9. Transfer Local Data and Knowledge
Control Requirement: Organizational information must be retained.
Required Implementation Step: Before the account is closed, the line manager must sit with the leaver to move critical files from their Desktop/Documents (local storage) to a shared team folder. Ensure the “Manager” is granted access to the leaver’s OneDrive/Google Drive archive for 30 days to recover missed business data.
Minimum Requirement: Confirmation from the Line Manager that “Knowledge Transfer” is complete.
10. Obtain Legal Sign-off on Asset Return
Control Requirement: Formal documentation of the return.
Required Implementation Step: Include a specific “Return of Assets Declaration” in the Exit Interview documentation. The employee must sign confirming they have returned all data, hardware, and hard copies, and deleted any corporate data from personal devices. Store this legal document in their personnel file.
Minimum Requirement: A signed Exit Declaration form listing all returned items.
ISO 27001 Annex A 5.11 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Asset Identification | The GRC tool lists “Laptop” as returned. | Failure: Which laptop? Without verifying the specific Asset Tag/Serial Number against the register, the user could return an old, broken personal device and keep the corporate MacBook. |
| HR/IT Communication | A manual task in the GRC dashboard to “Notify IT”. | Failure: Humans forget manual tasks. If the notification isn’t an automated API call from HR to the IT Ticketing system, the window of opportunity for data theft remains open. |
| Data Sanitization | A checkbox saying “Device Wiped”. | Failure: A checkbox is not evidence. You need a system-generated log from the imaging software or MDM confirming the drive was actually formatted or encrypted-wiped. |
| Remote Returns | The policy says “User must return equipment”. | Failure: Expecting a disgruntled leaver to pay for shipping is naive. Without a pre-paid courier process managed by logistics, you will simply lose the hardware. |
| Cloud Sessions | Disabling the user in the GRC tool. | Failure: Disabling a GRC user does not revoke a Google Cloud Service Account key or a persistent Salesforce session token. Technical revocation must happen in the specific apps. |
| Personal Data | User ticks “I have deleted company data”. | Failure: Users lie. You need technical enforcement (containerized MDM) that allows you to selectively wipe corporate data from their personal phone without touching their photos. |
| Knowledge Transfer | Not covered by the tool. | Failure: The laptop is returned, but the only copy of the departmental budget was on the desktop. The device is wiped, and the data is lost forever. Process must precede technology. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
