What is the biggest security gap when a trusted team member leaves your business? It is a question that keeps plenty of business owners awake at night. You might think the answer is network access, but the real danger is often what they take with them physically. The risk isn’t just about turning off a password; it is about getting your stuff back.
When an employee or contractor moves on, the items they hold, laptops, phones, USB drives, or even stacks of paper become liabilities. One missing device could hold client data or trade secrets, creating a fast track to a data breach. This is exactly what ISO 27001 Annex A 5.11, “Return of Assets,” is built to stop.
This guide is your blueprint. We will walk through the paperwork you need, the steps to take, and the mistakes to avoid. By the end, you will know how to build a process that protects your business and keeps your auditor happy.
Table of contents
What is Annex A 5.11 and Why Does It Matter?
The Core Requirement
Understanding Annex A 5.11 is your first step toward securing your business. It isn’t just a box to tick; it is a shield against data breaches.
- The Definition: Simply put, this rule says that everyone, employees, contractors, or partners, must return all organization assets when their employment or agreement changes or ends.
- “Change” vs. “Termination”: This is the part most people miss. It isn’t just about people quitting. It applies to internal moves, too. If your finance manager moves to the marketing team, do they still need that specialized finance laptop? Probably not. Under Annex A 5.11, you must collect that asset and wipe it. This ensures access always matches the current job.
Why You Should Care
For an SME, failing to get assets back is like locking the front door but leaving a window wide open. If you ignore this, you risk the “CIA triad” of security:
- Confidentiality: Your secrets stop being secret. Competitors could see your client lists.
- Integrity: Your data could be changed without you knowing. Imagine someone altering code or invoices before they leave.
- Availability: You might lose access to files you need to run your company. If the only copy of a project is on a lost laptop, that project is gone.
Beyond the data, there are legal risks. Laws like the GDPR don’t care if you lost a device by accident; you can still face fines. This control helps you avoid that nightmare.
Building Your System: The 6 Foundational Pillars
You can’t satisfy an auditor with a simple checklist. They want to see a working system. Think of these six pillars as the foundation of your asset security.
Pillar 1: The Asset Management Policy
This is your “big picture” document. It tells the world (and your staff) how you value and track items from the day you buy them to the day you throw them away.
Pillar 2: The Process
This translates your policy into action. It details the specific steps everyone must follow, ensuring consistency every time.
Pillar 3: The Up-to-Date Asset Register
This is the heart of your system. It is a list of what you own and who has it. If this list is wrong, your return process fails because you won’t know what to ask for. For modern SMEs, managing this manually is a pain. Platforms like hightable.io can help you maintain a dynamic, accurate single source of truth, so you never face the “red flag” of a messy inventory during an audit.
Pillar 4: Acceptable Use Rules
These are the rules of the road. You need to tell your team clearly how they are allowed to use company gear. This removes ambiguity later on.
Pillar 5: Ironclad Agreements
Get your lawyers involved. Your employment contracts must legally require the return of assets. Without this clause, your policy is just a polite request, not a requirement.
Pillar 6: The HR Process
Your HR team starts the engine. When they process a “leaver” or a “mover,” it should automatically trigger your security checklist. This ensures you never forget to ask for a laptop back just because you were busy.
The Playbook: Step-by-Step Actions
Now that you have the foundation, here is your game plan for when someone actually leaves.
Managing the Notice Period
The time between a resignation and the final day is your biggest risk window. The employee is still there, but they might feel disconnected. To stay safe:
- Review Access Now: Cut off access to data they don’t strictly need for their final tasks.
- Watch Closely: Keep an eye on data transfers or heavy printing.
- Asset Swap: In high-risk roles, take their main laptop early and give them a “clean” loaner device for their last few days.
Departure Day: Return and Storage
When the final day comes, you need a secure physical process.
- In-Person is Best: If possible, get the items hand-delivered.
- Remote Safety: If you must ship it, wipe the device remotely before it goes in the mail. Use Mobile Device Management (MDM) tools to erase company data. If the package gets lost, you only lose hardware, not secrets.
- Secure Storage: Don’t just toss the returned laptop in a corner. Lock it up until it can be properly wiped and re-issued.
The ‘Bring Your Own Device’ (BYOD) Challenge
You can’t ask for a personal phone back, but you must ensure your data is off it. You have two main options:
| Solution Type | How it Works |
|---|---|
| Technical (Best) | Use software to separate work data from personal data. When they leave, you push a button to wipe only the work “container.” |
| Legal / Procedural | If you lack software, the employee must sign a document confirming they have deleted all company data. |
Remember, an auditor will want proof. They will ask for the software logs or the signed document.
Are You Audit-Ready?
Auditors don’t trust; they verify. They will poke holes in your process to see if it works in real life. Here is what they look for:
The “Show Me” Test
They will pick a random list of people who left last year and ask for the evidence trail. Did you follow the steps? Did you get the gear back? Did you cut off their email? You need to show proof for every single one.
The Reality Check
They will look at your asset register and then look at your storage room. If the list says “3 laptops in storage” but the cupboard is empty, you have a problem. They check if your digital records match physical reality.
The Contract Check
They will read your contracts. If your agreements don’t strictly say “you must return our data,” you will be flagged for a nonconformity.
Top 3 Mistakes to Avoid
Even smart business owners make these simple errors. Avoid them to stay safe.
Mistake #1: The Outdated Register
This is the most common failure. If your list says Jane has a monitor, but Jane says she never got one, you are stuck. Maintaining a live, accurate register is vital. Using tools like hightable.io can automate this, ensuring your records always match reality.
Mistake #2: The “Server Graveyard”
Do not pile old hard drives and laptops in an unlocked closet. This is a massive risk. If you are throwing hardware away, get a “certificate of destruction” from your disposal company. You need proof that the data is gone forever.
Mistake #3: Bad Version Control
If your policy refers to a process document that doesn’t exist anymore, or if your documents haven’t been reviewed in two years, auditors will notice. Keep your paperwork fresh and connected.
Frequently Asked Questions
What counts as an “asset”?
It is not just hardware like laptops and phones. It includes access cards, keys, and most importantly information like client lists, intellectual property, and software licenses.
When should I trigger the return process?
Do it whenever someone leaves, when a contractor finishes a job, or when an employee moves to a new department.
What if they used their own phone (BYOD)?
You are responsible for ensuring your data is off their device. Use software to wipe your data remotely, or get them to sign a legal statement confirming they deleted it.
Should we wipe data before a device is returned?
Yes. If you are shipping a device, wipe it remotely first. If it gets stolen in the mail, your data stays safe.
Is this mandatory for ISO 27001?
Technically, you choose which controls apply to you, but there is almost no valid business reason to skip this one. Asset management is fundamental to security.
Conclusion
ISO 27001 Annex A 5.11 isn’t just about following rules; it is about closing the loop. It ensures that when a relationship ends, your valuable data stays with you. The true test of your security isn’t just the final day, it is how you manage the risk from the moment someone hands in their notice.
By following these pillars and using the right tools, you can lock down that “final window” of risk and build a security system that works.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
