ISO 27001 Annex A 5.11 for Tech Startups

Introduction: Look Beyond the Checklist

Running a fast-paced tech startup is demanding. When an employee or contractor leaves, managing their exit often feels like just another chore on a long list. However, you should not view the return of assets as just a simple HR task. It is a mistake to do so.

This process is actually a vital security control. It protects your startup’s most valuable resources. This includes your intellectual property, client data, and how your business operates.

In the world of ISO 27001, this is called ISO 27001 Annex A 5.11 Return of assets. Put simply, it means everyone must return company items when their job or contract changes or ends. This applies to employees, contractors, and third parties. It also applies to internal changes. For example, if an engineer moves to marketing, they must return the access keys used in their old role.

This control is strategically important. The risk of just one missing item is huge. It threatens the core of information security: Confidentiality, Integrity, and Availability.

Imagine a developer leaves and keeps a single USB drive with unreleased code. Your confidentiality is broken. Your intellectual property is at risk. You have lost control. This one slip could lead to theft, data leaks, and fines from laws like GDPR. You need more than a simple form to fix this. You need a system of policies and processes. This guide, inspired by insights from hightable.io, will show you how to build that system.

Introduction: Look Beyond the Checklist
The Six Pillars of a Strong Asset Return System
The Offboarding Process: Step-by-Step
Handling Grey Areas: BYOD and Notice Periods
- Bring-Your-Own-Device (BYOD)
- Securing the Notice Period
Facing the Audit: How to Prove Compliance
Top 3 Mistakes That Cause Failure
Conclusion: A Strategic Control
Frequently Asked Questions (FAQ)

The Six Pillars of a Strong Asset Return System

To pass an ISO 27001 audit, you need more than one document. You need a working ecosystem. An auditor wants to see that your policies and processes work together. Here are the six pillars you need:

1. Asset Management Policy

This is your high-level document. It states that your organization is committed to protecting its things. It sets the rules for how you handle assets from the day you buy them until the day you throw them away.

2. Asset Management Process

This document turns your policy into action. It lists the steps you take to manage assets. It explains how you count, assign, use, and return items.

3. Up-to-Date Asset Register

This is the most important part of the system. It is the “single source of truth.” This list must track what the asset is, who has it, and its status. If this list is wrong, you cannot know what to ask for when someone leaves.

4. Rules for Acceptable Use

This document tells employees how to use company items responsibly. It sets the rules for security and care. Users must understand their role in keeping things safe.

5. Legal Contracts

Your policies need legal power. Your contracts with employees and vendors must have clear clauses. These clauses must legally force people to return assets when they leave. This makes your policy enforceable.

6. HR Starter, Leaver, Mover (SLM) Process

This HR process triggers the asset return workflow. When a person’s status changes, this process starts the security checklist. It ensures you revoke access and get items back so nothing is missed.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

The Offboarding Process: Step-by-Step

Once you have your documents, you need to execute them. An auditor wants to see clear steps for getting items back, especially for remote workers.

Secure Return and Transport

You need a clear process for getting items back. For office staff, you can do a handover during an exit interview. For remote workers, use a shipping service that you can track and insure. You must track the item from the employee’s hands back to the company.

Secure Storage

Do not leave returned items on an empty desk. You must store them in a locked cabinet or a secure IT room. This stops people from using the device before it is wiped clean.

Best Practice for Remote Returns

For expensive items like laptops, wipe them remotely before shipping. Use Mobile Device Management (MDM) software to erase the data. This lowers your risk. If the package is lost in the mail, you only lose a piece of hardware, not your data.

Handling Grey Areas: BYOD and Notice Periods

Tech startups often face two tough issues: personal devices and the notice period.

Bring-Your-Own-Device (BYOD)

When staff use personal phones, you are still responsible for the data on them. You cannot ask for the phone back, but you must remove company data. You have two options:

Technical Controls: Use MDM software to create a secure “container” for work apps. When the person leaves, you can wipe just that container. Their personal photos remain safe.
Procedural Controls: If you don’t use MDM, have the person sign a document. This document states they have deleted all company data. An auditor will ask to see this proof.

Securing the Notice Period

The time between resignation and the final day is risky. A disgruntled employee has access to your data. You should take action immediately:

Review their access rights. Remove any access they don’t need for their final tasks.
Monitor their activity. Watch for large data transfers or downloads.
For high-risk roles, take their main device early. Give them a basic loaner device to finish their work.

Facing the Audit: How to Prove Compliance

An ISO 27001 auditor will not just read your policy. They will look for evidence that your system works. Expect them to check these three areas:

The Leaver Process

The auditor will ask for a list of people who left recently. They will want to see proof for each one. Did they return their assets? Was their access cut off? If they used their own phone, was the data wiped? Missing just one step can cause you to fail.

The Asset Register and Physical Security

The auditor will check your asset list. They might pick a returned laptop on the list and ask to see it. This leads to a check of your secure storage. They will ask who has the keys to that room to verify your security.

Legal Contracts

Finally, they will look at your contracts. They want to see clauses that demand the return of assets. If you allow personal devices but don’t have a contract clause about deleting data, this is a gap.

Top 3 Mistakes That Cause Failure

Failures are often due to simple administrative errors. Avoid these three common mistakes:

An Outdated Asset Register: This is the most common error. If your list shows an ex-employee still has a laptop, you have failed. It means you have lost control of an asset.
Insecure Storage or Destruction: Do not pile old laptops in a closet. This creates a risk of data theft. If you destroy a drive, get a certificate of destruction. You need proof.
Poor Document Control: Ensure your policies match your processes. If your policy is version 2.0 but references a process that is version 1.0, it looks bad. Review your documents regularly.

Conclusion: A Strategic Control

Implementing ISO 27001 Annex A 5.11 is more than just paperwork. It is a defense line that protects your data and your business. A good program controls the high-risk notice period and prevents data leaks.

Creating these documents takes time. It can take days of work. For a busy startup, this is hard. Many organizations use toolkits, such as those from hightable.io, to speed this up. These resources can help you get compliant quickly so you can focus on growing your business.

Frequently Asked Questions (FAQ)

What is the main goal of ISO 27001 Annex A 5.11?

The goal is to protect your assets when employment changes or ends. It ensures everything is returned to prevent data breaches and theft.

What counts as an “asset”?

Assets include physical hardware like laptops and keys. They also include information like files and code, as well as access to software accounts.

What if we use personal devices (BYOD)?

You are responsible for the data. Use MDM software to wipe company data remotely, or have the employee sign a legal form confirming they deleted the data.

When does the process start?

It starts whenever a relationship changes. This includes when someone quits, gets fired, changes roles internally, or when a contract ends.

Why is this risky for a startup?

If you don’t get assets back, you risk data breaches and legal fines. Losing a device with source code or client data can ruin your reputation.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.11: Return of Assets