ISO 27001 Annex A 5.11 SME Guide: Return of Assets

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Annex A 5.11 Return of assets without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified

Key Takeaways: ISO 27001 Annex A 5.11 Return of Assets (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 5.11 is your primary defence against the “Exit Risk.” When an employee, contractor, or partner leaves (or changes roles), the risk of data theft or loss skyrockets. It isn’t just about getting a laptop back; it’s about ensuring that access, data, and intellectual property don’t walk out the door with them. This control mandates a formal process to ensure everything, physical and digital, is returned or wiped.

Core requirements for compliance include:

The “Leavers” Checklist: You must have a standardized offboarding process. Relying on memory (“Did I ask for his keys?”) is a guaranteed way to fail an audit and lose assets.
Link to Asset Register: You cannot ask for it back if you don’t know they have it. This control relies entirely on an accurate Information Asset Register (Annex A 5.9).
Legal Teeth: Your employment contracts and supplier agreements must explicitly state that assets must be returned upon termination. Without this, you have no legal leverage.
Beyond Hardware: It’s not just laptops. You must account for access badges, physical keys, credit cards, and crucially data.
The BYOD Challenge: If staff use personal phones, you can’t ask for the phone back, but you must ensure company data is removed. This requires either Mobile Device Management (MDM) software or a signed legal declaration of deletion.

Audit Focus: Auditors will look for “The Evidence Trail”:

The Random Sample: “Show me a list of everyone who left in the last 6 months. Now, show me the completed ‘Return of Assets’ form for Jane Doe.”
The Reality Check: “Your Asset Register says John Smith has a MacBook. John left two weeks ago. Why is it still assigned to him?”
The Wipe Log: “You collected the laptop, but did you wipe it before putting it in storage? Show me the proof.”

SME Off-boarding & Return Checklist (Audit Prep):

Asset Category	What to Collect / Action
Hardware	Laptops, monitors, phones, USB drives.
Physical Access	Office keys, swipe cards, parking passes.
Financial	Corporate credit cards, tokens (MFA fobs).
Data (BYOD)	Remote wipe “Work Profile” or sign deletion form.
Digital Access	Terminate email, Slack, and cloud accounts immediately.

What is ISO 27001 Annex A 5.11 and Why Does It Matter?
- The Core Requirement
- Why You Should Care
How to implement ISO 27001 Annex A 5.11
The Playbook: Step-by-Step Actions
What the auditor will check
Top 3 ISO 27001 Annex A 5.11 Mistakes SMEs Make and How to Avoid Them
Fast Track ISO 27001 Annex A 5.11 Compliance for SMEs with the ISO 27001 Toolkit
ISO 27001 Annex A 5.11 FAQ for SMEs
Conclusion

What is ISO 27001 Annex A 5.11 and Why Does It Matter?

The Core Requirement

Understanding Annex A 5.11 is your first step toward securing your business. It isn’t just a box to tick; it is a shield against data breaches.

The Definition: Simply put, this rule says that everyone, employees, contractors, or partners, must return all organization assets when their employment or agreement changes or ends.
“Change” vs. “Termination”: This is the part most people miss. It isn’t just about people quitting. It applies to internal moves, too. If your finance manager moves to the marketing team, do they still need that specialized finance laptop? Probably not. Under Annex A 5.11, you must collect that asset and wipe it. This ensures access always matches the current job.

Why You Should Care

For an SME, failing to get assets back is like locking the front door but leaving a window wide open. If you ignore this, you risk the “CIA triad” of security:

Confidentiality: Your secrets stop being secret. Competitors could see your client lists.
Integrity: Your data could be changed without you knowing. Imagine someone altering code or invoices before they leave.
Availability: You might lose access to files you need to run your company. If the only copy of a project is on a lost laptop, that project is gone.

Beyond the data, there are legal risks. Laws like the GDPR don’t care if you lost a device by accident; you can still face fines. This control helps you avoid that nightmare.

How to implement ISO 27001 Annex A 5.11

You can’t satisfy an auditor with a simple checklist. They want to see a working system. Think of these six pillars as the foundation of your asset security.

Pillar 1: The Asset Management Policy

This is your “big picture” document. It tells the world (and your staff) how you value and track items from the day you buy them to the day you throw them away.

Pillar 2: The Process

This translates your policy into action. It details the specific steps everyone must follow, ensuring consistency every time.

Pillar 3: The Up-to-Date Asset Register

This is the heart of your system. It is a list of what you own and who has it. If this list is wrong, your return process fails because you won’t know what to ask for. For modern SMEs, managing this manually is a pain. Platforms like hightable.io can help you maintain a dynamic, accurate single source of truth, so you never face the “red flag” of a messy inventory during an audit.

Pillar 4: Acceptable Use Rules

These are the rules of the road. You need to tell your team clearly how they are allowed to use company gear. This removes ambiguity later on.

Pillar 5: Ironclad Agreements

Get your lawyers involved. Your employment contracts must legally require the return of assets. Without this clause, your policy is just a polite request, not a requirement.

Pillar 6: The HR Process

Your HR team starts the engine. When they process a “leaver” or a “mover,” it should automatically trigger your security checklist. This ensures you never forget to ask for a laptop back just because you were busy.

The Playbook: Step-by-Step Actions

Now that you have the foundation, here is your game plan for when someone actually leaves.

Managing the Notice Period

The time between a resignation and the final day is your biggest risk window. The employee is still there, but they might feel disconnected. To stay safe:

Review Access Now: Cut off access to data they don’t strictly need for their final tasks.
Watch Closely: Keep an eye on data transfers or heavy printing.
Asset Swap: In high-risk roles, take their main laptop early and give them a “clean” loaner device for their last few days.

Departure Day: Return and Storage

When the final day comes, you need a secure physical process.

In-Person is Best: If possible, get the items hand-delivered.
Remote Safety: If you must ship it, wipe the device remotely before it goes in the mail. Use Mobile Device Management (MDM) tools to erase company data. If the package gets lost, you only lose hardware, not secrets.
Secure Storage: Don’t just toss the returned laptop in a corner. Lock it up until it can be properly wiped and re-issued.

The ‘Bring Your Own Device’ (BYOD) Challenge

You can’t ask for a personal phone back, but you must ensure your data is off it. You have two main options:

Solution Type	How it Works
Technical (Best)	Use software to separate work data from personal data. When they leave, you push a button to wipe only the work “container.”
Legal / Procedural	If you lack software, the employee must sign a document confirming they have deleted all company data.

Remember, an auditor will want proof. They will ask for the software logs or the signed document.

What the auditor will check

Auditors don’t trust; they verify. They will poke holes in your process to see if it works in real life. Here is what they look for:

1. The “Show Me” Test

They will pick a random list of people who left last year and ask for the evidence trail. Did you follow the steps? Did you get the gear back? Did you cut off their email? You need to show proof for every single one.

2. The Reality Check

They will look at your asset register and then look at your storage room. If the list says “3 laptops in storage” but the cupboard is empty, you have a problem. They check if your digital records match physical reality.

3. The Contract Check

They will read your contracts. If your agreements don’t strictly say “you must return our data,” you will be flagged for a nonconformity.

Top 3 ISO 27001 Annex A 5.11 Mistakes SMEs Make and How to Avoid Them

Even smart business owners make these simple errors. Avoid them to stay safe.

1. The Outdated Register

This is the most common failure. If your list says Jane has a monitor, but Jane says she never got one, you are stuck. Maintaining a live, accurate register is vital. Using tools like hightable.io can automate this, ensuring your records always match reality.

2. The “Server Graveyard”

Do not pile old hard drives and laptops in an unlocked closet. This is a massive risk. If you are throwing hardware away, get a “certificate of destruction” from your disposal company. You need proof that the data is gone forever.

3. Bad Version Control

If your policy refers to a process document that doesn’t exist anymore, or if your documents haven’t been reviewed in two years, auditors will notice. Keep your paperwork fresh and connected.

Fast Track ISO 27001 Annex A 5.11 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 5.11 (Return of assets) is a critical shield against data breaches during employee or contractor departures. It ensures that all organisational assets, including hardware like laptops and phones, but also intangible assets like client lists and intellectual property, are returned when an agreement ends or a role changes. Failing to close this loop is like locking the front door but leaving a window wide open.

While SaaS compliance platforms often try to sell you “automated offboarding workflows” or “asset tracking dashboards”, they cannot actually physically collect a laptop from a leaver’s house or ensure that sensitive paper files have been returned. Those are human governance and physical operational tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the operational framework you need without a recurring subscription fee.

1. Ownership: You Own Your Offboarding Process Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your return of asset procedures and store your offboarding checklists inside their proprietary system, you are essentially renting your own security protocols.

The Toolkit Advantage: You receive the Asset Management Policy, Return of Assets Procedure, and Leaver Checklists in fully editable Word and Excel formats. These files are yours forever. You maintain permanent ownership of your standards, such as specific rules for remote device wiping, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Departures

Annex A 5.11 is about closing the loop. You do not need a complex new software interface to manage what a well-structured HR checklist and a formal asset register already do perfectly.

The Toolkit Advantage: SMEs need processes that work without constant oversight. What they need is the governance layer to prove to an auditor that every leaver is handled consistently. The Toolkit provides pre-written “Departure Day Playbooks” and “Ironclad Agreements” that formalise your existing HR work into an auditor-ready framework, without forcing your team to learn a new software platform just to log a returned phone.

3. Cost: A One-Off Fee vs. The “Leaver” Tax

Many compliance SaaS platforms charge more based on the number of “users”, “offboarding events”, or “tracked assets”. For an SME, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you have 2 leavers a year or 20, the cost of your Return of Assets Documentation remains the same. You save your budget for actual security tools, such as MDM software, rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your HR Strategy

SaaS tools often mandate specific ways to report on and monitor “asset returns”. If their system does not match your unique business model or specialised industry requirements, such as handling physical keys or access cards, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Return Procedures to match exactly how you operate, whether you use high-end remote wiping tools or simple, risk-managed manual checklists. You maintain total freedom to evolve your HR strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see that your employment contracts legally require the return of assets and that you have proof of this happening in practice, such as signed leaver checklists and an accurate asset register. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.11 FAQ for SMEs

What counts as an “asset”?
It is not just hardware like laptops and phones. It includes access cards, keys, and most importantly information like client lists, intellectual property, and software licenses.

When should I trigger the return process?
Do it whenever someone leaves, when a contractor finishes a job, or when an employee moves to a new department.

What if they used their own phone (BYOD)?
You are responsible for ensuring your data is off their device. Use software to wipe your data remotely, or get them to sign a legal statement confirming they deleted it.

Should we wipe data before a device is returned?
Yes. If you are shipping a device, wipe it remotely first. If it gets stolen in the mail, your data stays safe.

Is this mandatory for ISO 27001?
Technically, you choose which controls apply to you, but there is almost no valid business reason to skip this one. Asset management is fundamental to security.

Conclusion

ISO 27001 Annex A 5.11 isn’t just about following rules; it is about closing the loop. It ensures that when a relationship ends, your valuable data stays with you. The true test of your security isn’t just the final day, it is how you manage the risk from the moment someone hands in their notice.

By following these pillars and using the right tools, you can lock down that “final window” of risk and build a security system that works.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.11 Return of Assets for SMEs

Table of contents