ISO 27001:2022 Annex A 5.11 Return of assets

/ By
ISO 27001 Annex A 5.11 Return of assets

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.11 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.11 Return of Assets

ISO 27001 Annex A 5.11 requires that personnel and other interested parties return all organization-owned assets in their possession upon termination of their employment, contract, or agreement. This “preventive” control is a critical part of the Joiners, Movers, and Leavers (JML) process. The goal is to ensure that confidential data, intellectual property, and physical hardware (like laptops and access badges) are secured before an individual leaves the organization’s sphere of control.

Core requirements for compliance include:

  • Formal Asset Retrieval Process: You must have a documented procedure for collecting assets. This should be triggered automatically by HR whenever a resignation or termination notice is received.
  • Legal Enforcement: Employee and contractor agreements must include explicit clauses requiring the return of all assets. Without this, you have no legal leverage to retrieve company property.
  • Digital “Return” of Access: The return of assets isn’t just physical. You must revoke access to email, VPNs, and SaaS applications (e.g., Salesforce, Slack) immediately upon the individual’s departure.
  • BYOD Data Deletion: If employees use personal devices for work (BYOD), you must ensure company data is wiped from those devices. This is typically done via Remote Wipe or a formal declaration of deletion signed by the leaver.
  • Intellectual Property Retrieval: Beyond hardware, you must ensure that physical notebooks, paper files, and “knowledge assets” (like client lists or source code) are returned or transferred to a successor.

Audit Focus: Auditors will look for “The Retrieval Chain”:

  1. Sample Verification: An auditor will pick a random person who left the company in the last 6 months and ask: “Show me the evidence that their laptop was returned and their email was disabled on their last day.”
  2. The Asset Register Link: They will check if the Physical Asset Register (A.5.9) was updated to show the device is now “In Stock” or reallocated.
  3. Third-Party Coverage: They will check if your contracts with freelancers or vendors include the same “Return of Assets” requirements as your staff contracts.

Return of Assets Checklist (Audit Prep):

Asset TypeCritical Action RequiredRequired Audit Evidence
Physical HardwareCollect Laptop, Phone, and Keys.Signed “Equipment Return Form.”
Digital IdentityDisable AD / Email / SaaS Accounts.Closed IT Ticket (timestamped).
Physical AccessRetrieve Badge / Keycard.Log entry in Access Control system.
BYOD (Personal)Wipe Company Email & Teams.Signed “Data Deletion Declaration.”
IP & DocumentsReturn Paper Files / Notebooks.Exit Interview Note or Checklist.

Table of contents

What is ISO 27001 Annex A 5.11?

ISO 27001 Annex A 5.11 is about the return of assets which means you should get back all assets from people that leave or change job.

ISO 27001 Annex A 5.11 Return of Assets is an ISO 27001 control that requires that people with organisation assets should return them when they leave.

ISO 27001 Annex A 5.11 Purpose

The purpose of ISO 27001 Annex A 5.11 is to ensure you protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.

ISO 27001 Annex A 5.11 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.11 as:

Personnel and other interested parties as appropriate should return all the organisation’s assets in their possession upon change or termination of their employment, contract or agreement.

ISO 27001:2022 Annex A 5.11 Return of Assets

Watch the ISO 27001 Annex A 5.11 Tutorial

In the video ISO 27001 Annex A 5.11 Return Of Assets Explained show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.11 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.11 Return Of Assets. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.11 Implementation Guidance

You are going to have to

You will need a process for people to return assets to you when they leave or your contract ends with them.

It is simple and straight forward but there a couple of steps to put in place first.

Consider that the employee that leaves.

Do we know what they have? Do they know they need to return it? How do they return it and in what time frame?

How to implement ISO 27001 Annex A 5.11

Implementing ISO 27001 Annex A 5.11 requires a transition from informal equipment hand-ins to a rigorous, policy-driven offboarding framework. By synchronising HR termination triggers with IT asset recovery protocols, organisations mitigate the risk of data leakage and unauthorised retention of proprietary hardware. This technical guide outlines the action-oriented steps to formalise your return of assets process and satisfy lead auditor requirements for the 2022 standard.

1. Formalise the Asset Return Policy and Contractual Obligations

Establish a documented framework that mandates the return of all organisational property upon termination or change of employment. This action results in a legally enforceable governance layer that defines expectations for employees, contractors, and third-party partners.

  • Incorporate specific “Return of Assets” clauses into all employment contracts and non-disclosure agreements (NDAs).
  • Define a clear “Topic-Specific Policy” that categorises assets, including physical hardware, software licences, and intellectual property.
  • Document the legal and financial consequences for the non-return of high-value equipment to deter negligence.

2. Provision an Integrated Offboarding Workflow

Execute the synchronisation of Human Resources (HR) systems with Information Technology (IT) service management tools. This result-focused step ensures that a termination notice automatically triggers a technical recovery checklist, preventing assets from being overlooked during the final notice period.

  • Map HR termination categories (e.g. resignation, redundancy, summary dismissal) to specific asset recovery timelines.
  • Utilise automated notification systems to alert Asset Owners and line managers of the required recovery actions.
  • Implement a “Kill Switch” protocol for digital assets that triggers the revocation of access rights in tandem with physical recovery.

3. Formalise the Physical Asset Recovery and Inspection Process

Perform a structured collection of all hardware, access tokens, and physical documentation. This action ensures that the organisation regains control over the physical security perimeter and the data stored on mobile devices.

  • Execute a mandatory hand-over meeting to recover laptops, mobile devices, ID badges, and physical keys or MFA tokens.
  • Inspect returned hardware for unauthorised modifications or physical damage before re-entering the equipment into the inventory.
  • Document the “Rules of Engagement” (ROE) for recovering assets from remote workers, including the provision of secure courier services.

4. Revoke Logical Access and Decommission Digital Identities

Execute the immediate suspension of all virtual permissions linked to the departing individual. This results in the protection of cloud repositories, databases, and internal networks from unauthorised post-employment access.

  • Disable IAM roles and single sign-on (SSO) credentials within a defined timeframe, typically less than one hour for high-risk leavers.
  • Recover or rotate any shared administrative credentials or SSH keys previously known to the individual.
  • Ensure the transfer of ownership for critical digital assets, such as shared drive folders or departmental mailboxes, to an active supervisor.

5. Execute Asset Sanitisation or Secure Disposal

Perform data wiping or physical destruction of storage media according to the data classification level. This action results in the prevention of residual data discovery if the asset is destined for reuse or end-of-life disposal.

  • Utilise certified software-based data sanitisation tools to overwrite data on returned drives before reissuing them to new staff.
  • Maintain a “Certificate of Destruction” for any assets that are physically decommissioned or sent to a third-party recycling partner.
  • Update the Master Asset Register to reflect the current status (e.g. In Stock, Sanitised, or Disposed) for every item.

Return of Assets Checklist

Asset Type Action Required Evidence ISO 27001:2022 Control
Physical Hardware Return Laptop, Phone, Keys, Access Badge. Signed “Equipment Return Form”. Annex A 5.11 / 7.2
Digital Accounts Disable Active Directory / Email / SaaS Accounts. Ticket closed by IT. Annex A 5.11 / 5.18
BYOD (Personal) Wipe Company Email/Teams from personal phone. Signed “Data Deletion Declaration”. Annex A 5.11 / 6.7
Intellectual Property Return paper files / notebooks. Exit Interview Note. Annex A 5.11 / 5.13

ISO 27001 Templates

The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification and having ISO 27001 templates can help fast track your ISO 27001 implementation. The following templates are designed for ISO 27001 Return Of Assets:

ISO 27001 Asset Management Policy Template

Download the Asset Management Policy Template

ISO27001 Asset Management Policy - ISO 27001 Annex A 5.11 Template

ISO 27001 Physical Asset Register Template

Download the Physical Asset Register Template

ISO27001 Physical Asset Register - ISO 27001 Annex A 5.11 Template

ISO 27001 Data Asset Register Template

Download the Data Asset Register Template

ISO27001 Data Asset Register -ISO 27001 Annex A 5.11 Template

How to comply

To comply with ISO 27001 Annex A 5.11 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Put in place contracts with employees and third parties that covers the use and return of assets
  • Implement your HR Starter, Leaver, Mover process that includes assets
  • Allocate assets to individuals and maintain a record
  • On termination of contract ensure the secure transport and return of the asset
  • Implement a process to securely store returned assets before reuse or reallocation
  • Consider the remote wiping, as appropriate, of assets and devices before transport when returning
  • Where employees and third parties use their own devices ensures processes are in place and followed for the deletion of company data assets
  • Consider the documentation and knowledge transfer from employees and third parties
  • Put in place appropriate controls during the notice period to prevent copying of information and intellectual property

How to pass the ISO 27001 Annex A 5.11 audit

To pass an audit of ISO 27001 Annex A 5.11 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. There is a starter, leaver, mover process

The audit will check you have a starter, leaver, mover process documented and that you are following it. It will check that the return of assets is included in that process. It will then seek evidence that it has been followed at least once. They will randomly choose a sample of leavers and ask you to walk through what you did when you left. They are checking that you followed your written process and have evidence that the assets were returned.

2. There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. Where assets are returned, even if not reallocated, they will want to see that recorded in the asset register. They may then ask questions arounds the physical security of stored assets – such as are they locked away, who has access, what is the process for secure disposal / destruction.

3. Contracts are in place

They are going to look at your employee contracts and your third party contracts and see if the return of assets is mentioned and covered. There are other security clauses that are required, but where appropriate, they want to see that contracts cover the return of assets. This can include the deletion of data and information where personal or Bring Your Own Devices have been allowed and used. It would be sensible for them to sample any BYOD devices that belong to people that have left to ask you how you ensured data was deleted. Clearly they will not audit the actually device but the process you went through and the assurances that you got.

Top 3 ISO 27001 Annex A 5.11 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.11 are

1. Your asset register is not up to date

Either not having an asset register, an asset register that does not record all devices or an asset register that is out of date is the number 1 mistake people make. Usually as it is admin step that can get lost in the course of running a business.

2. Assets were not destroyed securely

Not a direct response to the the return of assets but they do check secure destruction and that it followed process. It is a common for organisations to have a room full of old assets that they do not know what to do with so keep them for ever. It can be a nightmare in time as no one knows why we keep them, what is on them and if we need them which brings up legal, regulatory and contractual issues.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.11 across different business models.

Business Type Applicability & Interpretation Examples of Control
Small Businesses

Physical Keys & Basic Hardware. For small teams, assets are often physical. Compliance focuses on retrieving office keys, laptops, and ensuring no company data remains on personal phones (BYOD).

Exit Checklist: A manual sign-off sheet confirming the return of office keys and the company credit card before the final paycheck is released.
BYOD Wipe: A “Data Deletion Declaration” signed by the leaver confirming they have removed company email and WhatsApp chats from their personal device.
Tech Startups

Developer Laptops & Local Code. The biggest risk is code sitting on a developer’s local machine. “Return of Assets” implies ensuring that the intellectual property (code) is wiped or returned to the central repo.

MDM Lock: Using Mobile Device Management (e.g., Jamf or Kandji) to remotely lock and wipe the corporate MacBook immediately upon termination.
Asset Re-imaging: A procedure to re-image returned laptops to a clean state before reassigning them to new hires, ensuring no residual data exists.
AI Companies

Research Data & Weights. Assets include “Knowledge Assets.” Ensuring that researchers return local copies of datasets, model weights, or unpublished papers stored on local drives or personal clouds.

Data Transfer Audit: Checking the leaver’s local storage and cloud transfer logs to ensure no proprietary training data was “backed up” to a personal drive before exit.
Access Token Revocation: Immediate invalidation of any personal API tokens (e.g., Hugging Face, OpenAI) associated with the leaver’s identity.
Applicability of ISO 27001 Annex A 5.11 across different business models.

Fast Track ISO 27001 Annex A 5.11 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.11 (Return of assets), the requirement is to ensure that employees and contractors return all organizational assets in their possession upon change or termination of their contract. This is a critical physical and procedural control designed to protect sensitive data and intellectual property.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to offboarding rules; if you cancel the subscription, your documented return standards and leaver history vanish. Permanent Assets: Fully editable Word/Excel Asset Management Policies and Checklists you own forever. A localized “Return of Assets Procedure” defining mandatory data deletion for BYOD devices and physical key returns.
Operational Utility Attempts to “automate” offboarding via dashboards that cannot physically collect laptops or verify the return of physical keys. Governance-First: Provides the framework to formalize your existing HR and IT “Leaver” workflows into an auditor-ready system. A completed “Return of Assets Checklist” signed by both the leaver and IT/HR to prove all hardware was recovered.
Cost Efficiency Charges a “Headcount Tax” or “Leaver Fee” that scales costs as your company grows and staff turnover occurs. One-Off Fee: A single payment covers your return governance for 2 employees a year or 2,000. Allocating budget to remote-wipe software or courier recovery services rather than monthly “compliance dashboard” fees.
Strategic Freedom Mandates rigid reporting formats that often fail to align with unique office setups or flexible remote-work models. 100% Agnostic: Procedures adapt to your environment—IT collection desks, mail-back services, or remote-wipe protocols. The ability to evolve your HR strategy and offboarding checklists without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 5.11, the auditor wants to see that you have a formal process for the return of assets and proof that you follow it (e.g., signed return forms and updated asset registers). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.11 FAQ

What is ISO 27001 Annex A 5.11?

ISO 27001 Annex A 5.11 is an organisational control that requires all employees and external parties to return all organisational assets in their possession upon termination of their employment, contract, or agreement.

  • Ensures that hardware, software, and physical data do not remain with unauthorised individuals.
  • Protects intellectual property and proprietary information.
  • Forms a critical part of the formalised offboarding lifecycle.
  • Applies to both permanent staff and third-party contractors.

Is a formal asset return policy mandatory?

Yes, a documented policy or procedure for the return of assets is essential to satisfy the requirements of Annex A 5.11 and provide legal standing for equipment recovery.

  • It defines clear timelines for the return of equipment.
  • It outlines the specific roles and responsibilities of HR, IT, and management.
  • It establishes the legal right to recover costs for unreturned items where applicable.
  • It provides a repeatable framework for auditors to verify compliance.

What items are included in the return of assets?

The scope of Annex A 5.11 extends beyond physical hardware to include all types of information and organisational property.

  • Physical hardware: Laptops, mobile phones, tablets, and monitors.
  • Access credentials: ID badges, physical keys, and MFA tokens.
  • Information assets: Intellectual property, customer data, and printed documentation.
  • Digital assets: Backups, software licenses, and cloud-stored corporate files.

Who is responsible for the return of assets?

The responsibility for managing the return of assets is typically shared across HR, IT, and the departing individual’s line manager.

  • HR: Initiates the offboarding workflow and communicates final requirements to the leaver.
  • IT: Verifies the return and functional state of technical hardware and digital data.
  • Line Manager: Ensures physical hand-overs occur and access cards are recovered on the final day.
  • Individual: Contractually obligated to return all property in their possession.

Does Annex A 5.11 cover digital data and files?

Yes, digital information assets are a core focus of Annex A 5.11, requiring users to return or delete corporate data stored on personal or external devices.

  • Includes the removal of corporate email accounts from personal smartphones.
  • Requires the handover of any administrative passwords or encryption keys.
  • Mandates the return of physical storage media like USB drives or external hard disks.
  • Covers intellectual property created during the term of employment.

What evidence do auditors look for during an ISO 27001 audit?

Auditors seek verifiable proof that the asset return process is being consistently followed for every individual leaving the organisation.

  • Signed offboarding checklists for recent leavers.
  • Updated asset registers showing the change in equipment status.
  • Records of access card deactivation and key recovery.
  • Evidence that digital accounts were disabled in tandem with asset return.

What happens if an employee fails to return organisational assets?

Failure to return assets should be treated as a security incident and managed through defined legal and contractual escalations.

  • Immediate remote wiping of mobile devices and laptops where technically possible.
  • Reporting unreturned items to insurance providers for replacement recovery.
  • Legal communication regarding the retention of intellectual property.
  • Withholding final settlement amounts where permitted by local employment laws.

Further Reading

A Practical Guide: How to Implement ISO 27001:2022 Annex A 5.11 – Return of Assets

How to Audit ISO 27001 Annex A 5.11: A Practical Guide to Return of Assets

ISO 27001 Annex A 5.11 Return of Assets: A 10-Point Implementation Checklist

The Ultimate 10-Point Audit Checklist for ISO 27001 Return of Assets (A.5.11)

A Practical Guide for SMEs: Mastering ISO 27001 Annex A 5.11 – Return of Assets

A Guide for AI Companies to ISO 27001 Annex A 5.11: Return of Assets

A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.11: Return of Assets

ISO 27001 Return of Assets Beginner’s Guide

ISO 27001 Asset Management Policy Beginner’s Guide

ISO 27001 Physical Asset Register Beginner’s Guide

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveConfidentialityProtectAsset managementProtection
Integrity
Availability
, , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top