In this ultimate how to audit guide to ISO 27001 Annex A 5.11 Return of Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Return of Assets Policy Formally Defined
- 2. Employment Contract Terms Verified
- 3. Exit Interview Asset Reconciliation Verified
- 4. Hardware Return Log Validated
- 5. Data Retrieval from Personal Devices Confirmed
- 6. Access Rights Revocation Synchronised
- 7. Intellectual Property & Knowledge Transfer Verified
- 8. External Contractor Offboarding Verified
- 9. Non-Return / Damage Procedure Evidence Present
- 10. Secure Storage of Returned Assets
Auditing ISO 27001 Annex A 5.11 validates the secure offboarding process to ensure all physical and digital assets are recovered from terminating employees. The audit confirms the Primary Implementation Requirement of cross-referencing returned hardware against the Asset Register and verifying data deletion. The Business Benefit is preventing data leakage and unauthorized access post-employment.
Use this pass/fail checklist to strictly validate compliance with ISO 27001 Annex A 5.11 (Return of Assets). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Annex A 5.11 Audit Guide.
1. Return of Assets Policy Formally Defined
- Verification Criteria: A documented policy exists (often part of the Asset Management Policy) explicitly stating that all employees and contractors must return assets upon termination or contract change.
- Required Evidence: The “Asset Management Policy” or “Acceptable Use Policy” (Version controlled and approved).
Pass/Fail Test: If the requirement to return assets is only “implied” or verbal and not written in a formal policy, mark as Non-Compliant.
2. Employment Contract Terms Verified
- Verification Criteria: Standard employment contracts and contractor agreements contain specific clauses mandating the return of equipment and data deletion upon exit.
- Required Evidence: A sample of 3 recent employment contracts (redacted PII) showing the “Return of Property” clause.
Pass/Fail Test: If the contract mentions “confidentiality” but fails to explicitly demand the physical return of hardware (laptops, keys), mark as Non-Compliant.
3. Exit Interview Asset Reconciliation Verified
- Verification Criteria: The offboarding process includes a mandatory step where the leaver’s assigned assets (from the Asset Register) are cross-checked against what they are physically handing back.
- Required Evidence: Completed “Leaver Checklists” for the last 3 terminated employees, signed by both HR/IT and the employee.
Pass/Fail Test: If the leaver form has a generic checkbox for “Assets Returned” but does not list the specific serial numbers returned, mark as Non-Compliant.
