The biggest security risk when a trusted person leaves is not the key card they hand back. It is the encrypted USB drive in their bag that holds your next product roadmap. This challenge keeps security leaders and CEOs up at night. The real weakness is not just about cutting off system access. It is about getting back the physical and digital items they still have.
This is the main problem addressed by ISO 27001 Annex A 5.11 Return of assets. The standard says that staff must return all company assets when their job or contract ends. This guide moves past theory to give you a practical 10-point plan. Following this checklist will help you build a strong process that protects your business and satisfies your auditor.
Table of contents
- Why Getting Assets Back is a Board-Level Concern
- Your 10-Point Checklist for Mastering Asset Returns
- Point 1: Set Up Your Base Policies
- Point 2: Create and Keep a Master Asset Register
- Point 3: Link Security with the HR Process
- Point 4: Make Your Legal Contracts Stronger
- Point 5: Define a Secure Physical Return Process
- Point 6: Store and Handle Returned Assets Safely
- Point 7: Handle the Bring Your Own Device (BYOD) Issue
- Point 8: Manage the High-Risk Notice Period
- Point 9: Verify and Document Everything
- Point 10: Plan for Secure Disposal
- How an Auditor Will Test Your System
- The Top 3 Mistakes to Avoid
- Asset Protection is an Ongoing Duty
Why Getting Assets Back is a Board-Level Concern
A formal return process is not just a boring HR task. It is a vital security function. In the ISO 27001 framework, this is called a “preventative” control for a good reason. It is designed to stop bad data breaches and theft before they happen. If you fail to manage this well, you bring big risks to your business.
- Theft of Ideas and Data: A lost laptop or a simple USB stick can hold client data or trade secrets. If a developer forgets to hand in a drive with code, you lose confidentiality instantly.
- Legal Trouble: A single forgotten hard drive can become a huge problem under laws like GDPR. If one device with personal data goes missing, you could face fines and investigations.
- Loss of Control: If you fail to get an asset back, you have lost control over the data inside it. You cannot secure or manage it anymore. This goes against the core rules of keeping company resources safe.
Each of these risks can cause major damage. This control is here to stop them before an incident occurs. Now, let us look at how you can do this.
Your 10-Point Checklist for Mastering Asset Returns
Building a good system takes more than one document. An auditor wants to see a system where policy, process, and tools work together. These ten points will help you build that system.
Point 1: Set Up Your Base Policies
Every good security process starts with clear rules. Before you can manage returns, you must define how assets are handled from the start. You need two key documents here. First, an Asset Management Policy to set the tone. Second, an Acceptable Use Policy to outline the rules for your staff. These create the baseline for responsible handling.
Point 2: Create and Keep a Master Asset Register
The asset register is the heart of the return process. It is your single source of truth. If your register is old or empty, you will likely fail an audit because you cannot return what you do not track. You must assign every laptop, monitor, and key card to a specific person. Platforms like hightable.io can be invaluable here for maintaining an accurate, real-time inventory of your assets. If an auditor sees an asset assigned to someone who left months ago, it raises a red flag.
Point 3: Link Security with the HR Process
Policy means nothing without action. You need to link your asset return policy to the HR process for people joining, moving, or leaving. This link is vital. Every time HR processes a departure, it must trigger your security checklist. This ensures no one is missed and the steps are followed every time.
Point 4: Make Your Legal Contracts Stronger
Policies are just suggestions without legal backup. Your employment contracts must have clear clauses. These clauses should create a legal duty to return all items when the job ends. This gives your policy power. It provides a way to enforce the rules if a person fails to comply.
Point 5: Define a Secure Physical Return Process
You need a secure plan for getting things back. It is not enough to just drop a laptop on a desk. For remote staff, use a trusted courier service. A best practice is to wipe the device remotely before it ships. This way, if the package is lost, you only lose hardware, not data. For on-site staff, handle the return during a formal exit meeting.
Point 6: Store and Handle Returned Assets Safely
Once an asset is back, where does it go? A common mistake is leaving laptops on desks or in open cupboards. You must have a secure storage area, like a locked cabinet or room. Keep assets there until they are wiped and ready for the next user.
Point 7: Handle the Bring Your Own Device (BYOD) Issue
BYOD is tricky because you own the data, but not the phone. You cannot ask for the phone back, but you must ensure company data is gone. You have two main options:
| Method | Description and Proof |
|---|---|
| Technical Control (Best) | Use software to create a secure company workspace on the phone. You can wipe just this workspace remotely. The auditor will want to see the logs. |
| Procedural Control | Rely on a signed form where the person confirms they deleted the data. Your legal contract must support this. The auditor will want to see the signed form. |
Point 8: Manage the High-Risk Notice Period
The moment an employee gives notice, a risk window opens. This is when data leaks often happen. A good security program acts fast. Review their access right away. Monitor their activity more closely. Depending on the risk, you might even take their main device and give them a basic one for their final days.
Point 9: Verify and Document Everything
For an auditor, if it is not written down, it did not happen. You must create a clear paper trail. Use a formal checklist and get sign-offs from both the employee and the manager. This paperwork is your proof of compliance.
Point 10: Plan for Secure Disposal
Do not let old assets pile up in a “graveyard” room. This creates a risk of lost data. Your process must include a plan for secure destruction. If you dispose of storage media, you must get a certificate of destruction from your vendor.
How an Auditor Will Test Your System
Auditors do not just read policies. They test if the system works in real life. They look for proof that your process is active. To find issues, they usually look at three areas.
- The Leaver Sample: An auditor will ask for a list of people who left recently. They will pick random names and ask for the full paper trail. If one step is missing, it is a failure.
- The Asset Register Check: They will check your register for accuracy. They might ask where you store returned laptops and who has the keys. This tests your physical security.
- The Legal Review: Finally, they will check a sample of your contracts. They want to see the clauses about returning assets and deleting data. A missing clause is a major issue.
The Top 3 Mistakes to Avoid
Most audit failures are not due to complex tech issues. They happen because of basic admin errors. Avoid these common traps to stay safe.
- An Outdated Asset Register: This is a top mistake. If the register says a person had two monitors, but the return form only lists one, you have a problem. If you cannot explain where the other one is, you fail.
- Insecure Destruction: A room full of old hardware is a bad sign. If an auditor sees this, they will ask for destruction certificates. If you cannot show them, you cannot prove the data is safe.
- Poor Document Control: Auditors check versions. If your policy refers to an old procedure, it shows a lack of control. Documents that have not been reviewed in a year look like dead processes.
Asset Protection is an Ongoing Duty
Using Annex A control 5.11 is not about one piece of tech. It is about building a system of trust. A good process prevents data loss and helps you pass your audit. But the real test is not just getting a laptop back on the last day. It is how well you control the risk from the moment they give notice. That level of control shows a true culture of security.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
