In this ultimate how to implement guide to ISO 27001 Annex A 5.11 Return of Assets, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Return of Assets Implementation Checklist
- 1. Integrate HR Termination Triggers with IT
- 2. Generate the Individual Asset Manifest
- 3. Execute Remote Device Locking (MDM)
- 4. Manage Physical Logistics for Remote Leavers
- 5. Revoke Shadow IT and OAuth Tokens
- 6. Verify Physical Integrity and Serial Numbers
- 7. Perform Cryptographic Sanitization (Data Wiping)
- 8. Recover Physical Access Tokens
- 9. Transfer Local Data and Knowledge
- 10. Obtain Legal Sign-off on Asset Return
- ISO 27001 Annex A 5.11 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.11 is the formal execution of asset recovery procedures to ensure all organisational assets, including hardware, software licenses, and physical keys are returned and verified upon termination. It mandates a chain of custody and cryptographic data sanitisation to prevent data leakage and unauthorised access post-employment.
ISO 27001 Return of Assets Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.11. Compliance with this control requires a physical and digital chain of custody, ensuring assets are actually returned, verified, and sanitized, rather than simply marking a checkbox in a portal.
1. Integrate HR Termination Triggers with IT
Control Requirement: A defined process must exist to initiate the return of assets upon termination.
Required Implementation Step: Configure your HR system (e.g., BambooHR, Workday) to send an automated critical alert to the IT Service Desk ticket queue exactly 14 days before an employee’s final date. Do not rely on manual emails from line managers, which are frequently forgotten until after the employee has left the building.
Minimum Requirement: A documented automated workflow proving IT is notified of leavers in advance.
2. Generate the Individual Asset Manifest
Control Requirement: All assets in possession of the terminating employee must be identified.
Required Implementation Step: Open your Master Asset Register (created in Annex A 5.9). Filter by the leaver’s name and export a specific list of every hardware device (laptop, mobile, monitor), peripheral, and physical key assigned to them. Print this list to serve as the physical return checklist.
Minimum Requirement: A generated “Asset Return Schedule” listing specific serial numbers for the leaver.
3. Execute Remote Device Locking (MDM)
Control Requirement: Prevent data exfiltration during the notice period.
Required Implementation Step: On the employee’s final minute of employment, log into your Mobile Device Management (MDM) console (e.g., Intune, Jamf). Execute a “Lock” or “Selective Wipe” command on their corporate devices. This prevents the “I forgot to return it” scenario from becoming a data breach risk.
Minimum Requirement: System logs showing the remote lock command was issued at the termination time.
