ISO 27001 Annex A 5.11 for AI Companies

When a trusted employee or contractor leaves, it raises a security question that keeps many CSOs and CEOs awake at night. If you run an Artificial Intelligence company, the stakes are even higher. The real danger isn’t just about turning off their email access. It is about the high-value intellectual property that might walk out the door with them.

Think about the source code for your new algorithm, the training data on a USB drive, or a laptop holding a uniquely trained model. These aren’t just files; they are the core of your business. If you fail to get them back, it is not just a mistake. It is a threat to your company’s survival. For more insights on managing these risks, you can check out resources at hightable.io.

This is exactly what ISO 27001 Annex A 5.11, “Return of Assets,” is designed to handle. It is a structured defense to stop your critical data from leaking. This guide will help you set this up effectively. It will help you pass your audit, but more importantly, it will help you protect the assets that give you a competitive edge.

What is Annex A 5.11 and Why Does It Matter?
- Defining the Control
- The ‘So What?’ for Your Company
Identifying Your Assets: What Do You Need to Reclaim?
Building Your Asset Return System
The Offboarding Playbook
Tackling Tricky Scenarios
- BYOD (Bring Your Own Device)
- The High-Risk Notice Period
Passing the Test: The Auditor’s View
Avoiding Common Failures
Conclusion

What is Annex A 5.11 and Why Does It Matter?

Before you start building processes, you need to understand what this control really means. For an AI company, this is not just an HR form to file away. It is a key part of protecting your intellectual property.

Defining the Control

The ISO 27001 standard is very direct. It states that all employees and other interested parties must return all organizational assets when their employment or contract ends or changes. Note the word “changes.” If an employee moves from a finance role to a marketing role, they probably don’t need that high-security laptop anymore. You must collect it to ensure their assets match their current job.

The ‘So What?’ for Your Company

For you, this control is more than a checklist. Its goal is to stop the theft of IP and data. If you lose control of these assets, you face legal and commercial risks.

Protecting IP and Trade Secrets: Your assets are containers for value. A single USB drive could hold the proprietary code or algorithms that run your business.
Data Protection Compliance: If you don’t retrieve a device with personal data, you could be breaking laws like the GDPR. This leads to fines and bad press.
The Security Triad: An unreturned asset hurts your security posture. It risks confidentiality (competitors seeing your models), integrity (someone altering your training data), and availability (losing the only copy of a dataset).

Identifying Your Assets: What Do You Need to Reclaim?

You cannot ask for things back if you don’t know they are missing. For AI companies, this goes way beyond just laptops and phones. You need a full inventory to make your offboarding work.

Physical Hardware

These are the things you can touch. Don’t forget the small stuff:

Endpoint devices: Laptops, desktops, phones, and tablets.
Storage: USB drives, external hard drives, and SD cards.
Access keys: Physical entry cards, security tokens, and office keys.
Special gear: Powerful GPUs or specific hardware used for R&D.

Information and Data

These are intangible but often worth the most money:

Source code, trained models, and model weights.
Cleaned training datasets.
Configuration files and validation results.
Physical notebooks or printed files.

Access Credentials

You must also take back the digital keys:

User accounts for cloud services and apps.
Software licenses you pay for.
Digital certificates used for encryption.

Building Your Asset Return System

You can’t comply with Annex A 5.11 using just a sticky note. An ISO auditor will expect to see a real system in place. You need these six pillars to make it work.

Asset Management Policy: This is your high-level rulebook. It tells your team how assets are valued and tracked from day one.
Asset Management Process: This is the “how-to” guide. It details the steps for handing out and taking back equipment.
An Asset Register: This is vital. It is your single source of truth. If your register is wrong, you cannot secure your gear.
Acceptable Use Rules: This document sets the boundaries. It tells staff what they can and cannot do with company tech.
Legal Contracts: Your employment contracts must say that staff have to return assets when they leave. Without this, your policy has no teeth.
The HR Process: When HR flags a leaver, it must trigger your security checklist immediately.

The Offboarding Playbook

Once your system is built, you need to execute it when someone leaves. Here is how to handle the physical return.

Secure Return and Transport

If your team is remote, don’t just ask them to mail it. Use a trackable courier service. You need to know where that asset is at all times.

Secure Remote Wipe

This is a best practice. If you can, wipe the device remotely before it gets shipped. If the package gets lost in the mail, you only lose a piece of metal, not your company secrets.

Secure Storage

When the device arrives, lock it up. Do not leave it on a desk. Put it in a secure cabinet until it can be wiped and re-imaged for the next person.

Tackling Tricky Scenarios

A mature company knows how to handle the hard stuff. For AI firms, this usually means personal devices and the notice period.

BYOD (Bring Your Own Device)

You cannot take an employee’s personal phone, but you are responsible for the company data on it. You have two options:

Technical Control: Use Mobile Device Management (MDM) software. This creates a “corporate container” on the phone. When they leave, you wipe just that container.
Procedural Control: Have them sign a document confirming they have deleted all company data. For high-risk roles, this might not be enough.

The High-Risk Notice Period

The time between an employee quitting and their last day is risky. They still have access, but they are leaving. You should review their access rights immediately. Monitor their downloads. For sensitive roles like ML engineers, consider taking their main device early and giving them a “clean” loaner laptop for their final tasks.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Passing the Test: The Auditor’s View

An auditor won’t just take your word for it. They will want proof. Here is what they look for:

The Leaver Check: They will pick a random name from your list of recent leavers. They will ask to see proof that their laptop was returned and their access was cut.
The Physical Check: They will look at your asset register and then ask to see the actual items. If the register says “Shelf A” and the laptop isn’t there, that is a problem.
The Contract Check: They will read your employment contracts to ensure the “return of assets” clause is actually there.

Avoiding Common Failures

Most companies fail on the basics. Avoid these three mistakes to save yourself a headache.

1. An Outdated Register

This is the most common error. If your register says an employee has two monitors, but they only return one, and you don’t know where the other one is, you fail. Keep your list updated.

2. The “Server Graveyard”

Don’t pile old hardware in an unlocked room. Auditors want to see a secure disposal process. You need a certificate of destruction when you throw things away.

3. Poor Documentation

Make sure your policy documents are current. If your policy references a process that doesn’t exist anymore, it shows a lack of control.

Conclusion

For an AI company, Annex A 5.11 is not just a compliance task. It is a strategic move. It is the system you use to protect your innovations and your value. The true test is not just how you handle a standard exit, but how you manage the risks when a key player walks out the door. Do it right, and your value stays with you.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

A Guide for AI Companies to ISO 27001 Annex A 5.11: Return of Assets

Table of contents