ISO 27001 Annex A 5.11 Return of Assets is a security control that ensures all organizational property is recovered upon termination of employment or contracts. The primary implementation requirement is establishing a formal asset retrieval process, delivering the business benefit of preventing data breaches and protecting intellectual property.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.11 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.11 Return of Assets
ISO 27001 Annex A 5.11 requires that personnel and other interested parties return all organization-owned assets in their possession upon termination of their employment, contract, or agreement. This “preventive” control is a critical part of the Joiners, Movers, and Leavers (JML) process. The goal is to ensure that confidential data, intellectual property, and physical hardware (like laptops and access badges) are secured before an individual leaves the organization’s sphere of control.
Core requirements for compliance include:
- Formal Asset Retrieval Process: You must have a documented procedure for collecting assets. This should be triggered automatically by HR whenever a resignation or termination notice is received.
- Legal Enforcement: Employee and contractor agreements must include explicit clauses requiring the return of all assets. Without this, you have no legal leverage to retrieve company property.
- Digital “Return” of Access: The return of assets isn’t just physical. You must revoke access to email, VPNs, and SaaS applications (e.g., Salesforce, Slack) immediately upon the individual’s departure.
- BYOD Data Deletion: If employees use personal devices for work (BYOD), you must ensure company data is wiped from those devices. This is typically done via Remote Wipe or a formal declaration of deletion signed by the leaver.
- Intellectual Property Retrieval: Beyond hardware, you must ensure that physical notebooks, paper files, and “knowledge assets” (like client lists or source code) are returned or transferred to a successor.
Audit Focus: Auditors will look for “The Retrieval Chain”:
- Sample Verification: An auditor will pick a random person who left the company in the last 6 months and ask: “Show me the evidence that their laptop was returned and their email was disabled on their last day.”
- The Asset Register Link: They will check if the Physical Asset Register (A.5.9) was updated to show the device is now “In Stock” or reallocated.
- Third-Party Coverage: They will check if your contracts with freelancers or vendors include the same “Return of Assets” requirements as your staff contracts.
Return of Assets Checklist (Audit Prep):
| Asset Type | Critical Action Required | Required Audit Evidence |
| Physical Hardware | Collect Laptop, Phone, and Keys. | Signed “Equipment Return Form.” |
| Digital Identity | Disable AD / Email / SaaS Accounts. | Closed IT Ticket (timestamped). |
| Physical Access | Retrieve Badge / Keycard. | Log entry in Access Control system. |
| BYOD (Personal) | Wipe Company Email & Teams. | Signed “Data Deletion Declaration.” |
| IP & Documents | Return Paper Files / Notebooks. | Exit Interview Note or Checklist. |
Table of contents
- What is ISO 27001 Annex A 5.11?
- Watch the ISO 27001 Annex A 5.11 Tutorial
- ISO 27001 Annex A 5.11 Podcast
- ISO 27001 Annex A 5.11 Implementation Guidance
- How to implement ISO 27001 Annex A 5.11
- ISO 27001 Annex A 5.11 Implementation Checklist
- How to audit ISO 27001 Annex A 5.11
- ISO 27001 Annex A 5.11 Audit Checklist
- Return of Assets Checklist
- ISO 27001 Templates
- How to comply
- How to pass the ISO 27001 Annex A 5.11 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.11 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.11 across different business models.
- Fast Track ISO 27001 Annex A 5.11 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.11 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.11 FAQ
- ISO 27001 Related Controls and Further Reading
- ISO 27001 Controls and Attribute Values
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
What is ISO 27001 Annex A 5.11?
ISO 27001 Annex A 5.11 is about the return of assets which means you should get back all assets from people that leave or change job.
ISO 27001 Annex A 5.11 Return of Assets is an ISO 27001 control that requires that people with organisation assets should return them when they leave.
ISO 27001 Annex A 5.11 Purpose
The purpose of ISO 27001 Annex A 5.11 is to ensure you protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.
ISO 27001 Annex A 5.11 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.11 as:
Personnel and other interested parties as appropriate should return all the organisation’s assets in their possession upon change or termination of their employment, contract or agreement.
ISO 27001:2022 Annex A 5.11 Return of Assets
Watch the ISO 27001 Annex A 5.11 Tutorial
In the video ISO 27001 Annex A 5.11 Return Of Assets Explained show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.11 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.11 Return Of Assets. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.11 Implementation Guidance
You are going to have to
- Have an Asset Management Policy that sets out what you do for asset management
- Put in place an asset management process that describes exactly what you do through the asset management lifecycle
- Keep an asset register up to date that shows who is allocated what asset – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
- Put in place rules for the acceptable use of assets – which we covered in ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets Beginner’s Guide
- Have legal contracts for employees and third parties that include clauses about assets, what they can do with them and that they must return them on termination
- Have a HR Starter, Leaver, Mover process that covers assets
You will need a process for people to return assets to you when they leave or your contract ends with them.
It is simple and straight forward but there a couple of steps to put in place first.
Consider that the employee that leaves.
Do we know what they have? Do they know they need to return it? How do they return it and in what time frame?
How to implement ISO 27001 Annex A 5.11
Implementing ISO 27001 Annex A 5.11 is a critical security safeguard to ensure that organisational property, both physical and digital, is recovered when an individual’s relationship with the business ends. As a Lead Auditor, I have seen many organisations fail here because they rely on memory rather than a structured process. By following these 10 steps, you will establish a watertight offboarding procedure that protects your intellectual property and reduces your attack surface. This process ensures that assets are returned, access is revoked, and the risk of post-employment data breaches is effectively mitigated.
1. Formalise the Return of Assets Policy
- Document clear requirements within your Information Security Policy that mandate the return of all hardware and software upon termination of employment or contract.
- Ensure the policy explicitly covers employees, contractors, and third-party consultants.
- Result: A legally enforceable mandate that sets clear expectations for all personnel from the outset of their engagement.
2. Integration with the Human Resources Exit Process
- Embed the asset return requirements into the standard HR exit interview and offboarding checklist.
- Coordinate timelines between HR, IT, and Department Heads to ensure assets are recovered before the final day of service.
- Result: A synchronised workflow that prevents personnel from leaving the premises while still in possession of critical assets.
3. Provision a Comprehensive Asset Register
- Maintain an accurate Asset Register that links specific serial numbers and logical assets to individual owners.
- Ensure the register includes “intangible” assets such as proprietary software licenses and encryption keys.
- Result: Full visibility of exactly what needs to be recovered from a specific individual during the offboarding phase.
4. Utilise Record of Equipment (ROE) Documentation
- Implement a Record of Equipment (ROE) log that requires a signature from the user upon receipt and return of physical items.
- Use these documents as the primary evidence for internal and external ISO 27001 audits.
- Result: An auditable paper trail that confirms the physical chain of custody for company hardware.
5. Revoke Logical Access via IAM Roles
- Immediately disable or delete accounts within your Identity and Access Management (IAM) system upon the exit date.
- Ensure that access to cloud repositories, SaaS applications, and internal databases is included in the revocation.
- Result: Immediate cessation of the user’s ability to access organisational data remotely or from personal devices.
6. Deprovision Multi-Factor Authentication (MFA)
- Revoke MFA seeds and hardware tokens associated with the individual to prevent secondary bypass attempts.
- Ensure that company-owned mobile phones used for MFA are physically returned and factory reset.
- Result: Elimination of residual authentication pathways that could be exploited post-termination.
7. Secure the Handover of Critical Information
- Enforce a formal knowledge transfer process for administrative passwords, encryption keys, and master files.
- Verify that no “single point of failure” exists where only the departing individual has access to specific encrypted assets.
- Result: Continuous operational resilience and the prevention of data being locked out following a departure.
8. Implement Secure Data Sanitisation for Returned Assets
- Follow a formal decommissioning process that includes data wiping or physical destruction of storage media for returned hardware.
- Maintain certificates of destruction or sanitisation logs for all storage-bearing devices.
- Result: Prevention of data leakage when assets are repurposed for new employees or sent for recycling.
9. Manage the Return of Assets for Role Changes
- Apply the return of assets protocol when an employee moves to a new department with different security requirements.
- Recover assets and access rights that are no longer required for the new role to maintain the principle of least privilege.
- Result: Reduced internal risk by preventing “privilege creep” as staff move through the organisation.
10. Audit the Offboarding Process Regularly
- Conduct quarterly spot checks comparing HR leaver logs against the Asset Register and IAM revocation timestamps.
- Report any discrepancies to the management review meeting to ensure continuous process improvement.
- Result: Verification that the control is operating effectively and remains compliant with Annex A 5.11 requirements.
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
ISO 27001 Annex A 5.11 Implementation Checklist
The ISO 27001 Annex A 5.11 implementation checklist provides a rigorous framework for recovering physical and digital assets during personnel transitions. By synchronising HR exit processes with IT revocation and physical hardware collection, organisations can effectively eliminate the risk of post-employment data breaches and unauthorised access.
| Step | Implementation Task | Requirement Example |
|---|---|---|
| 1 | Update Asset Return Policy | Formalise a policy requiring all information assets to be returned upon termination. |
| 2 | Define Responsibility Scope | Explicitly include employees, contractors, and third-party consultants in the return mandate. |
| 3 | Align with HR Offboarding | Embed asset return triggers into the standard HR exit interview and leaver checklist. |
| 4 | Maintain Record of Equipment | Utilise a Record of Equipment (ROE) log to track hardware issuance and return signatures. |
| 5 | Revoke Logical Access | Disable IAM roles, SSO accounts, and SaaS access immediately on the final day of service. |
| 6 | Deprovision MFA Seeds | Revoke Multi-Factor Authentication seeds and recover any physical hardware tokens or keys. |
| 7 | Knowledge Handover | Ensure administrative passwords and encryption keys are transferred to authorised personnel. |
| 8 | Secure Data Sanitisation | Sanitise returned hardware according to industry standards before decommissioning or reissuing. |
| 9 | Manage Role Transitions | Apply return protocols when staff move between departments with different security profiles. |
| 10 | Perform Regular Audits | Conduct quarterly spot checks comparing HR leaver logs against Asset Register updates. |
How to audit ISO 27001 Annex A 5.11
Auditing ISO 27001 Annex A 5.11 requires a meticulous examination of the offboarding lifecycle to ensure no physical or digital assets remain in the possession of former employees or contractors. As a Lead Auditor, I look for a watertight “Return of Assets” process where the Asset Register, HR records, and IT revocation logs align perfectly. Follow these 10 steps to verify that your organisation effectively prevents data leakage and asset loss during personnel transitions.
1. Review the Return of Assets Policy
- Examine the formal policy to ensure it clearly defines the responsibilities of employees, contractors, and management regarding asset return.
- Verify that the policy specifies timeframes for the return of equipment following termination or change of role.
- Result: Confirmation of a documented mandate that governs the recovery of organisational property.
2. Cross-Reference HR Leavers Logs with Asset Records
- Sample a list of recent leavers from HR records and trace them back to the Asset Register.
- Verify that every item originally assigned to the individual has been marked as returned or decommissioned.
- Result: Assurance that the inventory remains accurate and that “ghost assets” are not left with former staff.
3. Inspect the Record of Equipment (ROE) Logs
- Audit the ROE documents to check for physical signatures or digital timestamps confirming the receipt of returned hardware.
- Ensure serial numbers on returned items match the original issuance records.
- Result: Validated physical evidence of the transfer of custody for laptops, mobiles, and hardware tokens.
4. Audit IAM Role Revocation and Access Logs
- Review Identity and Access Management (IAM) logs to confirm that logical access was revoked immediately upon the user’s departure.
- Verify that “Single Sign-On” (SSO) and individual application accounts are disabled in alignment with the exit date.
- Result: Proof that the organisation has eliminated the risk of unauthorised remote access by former personnel.
5. Verify Multi-Factor Authentication (MFA) De-provisioning
- Check that MFA seeds, hardware keys, or mobile authenticator links associated with the leaver have been revoked.
- Confirm that company-owned MFA hardware has been physically recovered.
- Result: Technical certainty that the secondary layer of authentication cannot be bypassed or misused.
6. Inspect Secure Disposal and Data Sanitisation Records
- Examine certificates of data destruction for assets that were decommissioned rather than reassigned.
- Verify that the sanitisation process follows industry standards to prevent data recovery from returned hard drives.
- Result: Evidence that sensitive information has been permanently removed from the asset lifecycle.
7. Audit the Recovery of Intangible Information Assets
- Confirm that intellectual property, such as source code, internal documentation, and encryption keys, has been accounted for.
- Verify that access to proprietary cloud repositories (e.g., GitHub, AWS) was removed.
- Result: Protection of the organisation’s competitive advantage and sensitive digital IP.
8. Evaluate Management Oversight of the Exit Checklist
- Review completed exit checklists to ensure they have been signed off by the relevant department head or IT manager.
- Check for instances where assets were not returned and verify if the organisation followed its recovery or “loss” procedure.
- Result: Confirmation of management accountability for the final stages of the asset management process.
9. Test the Return of Assets for Third-Party Contractors
- Perform a deep-dive audit on the offboarding process for temporary contractors and external consultants.
- Verify that contractual clauses regarding the return of data and hardware were enforced upon contract completion.
- Result: Mitigation of the specific risks associated with external partners and supply chain access.
10. Verify Knowledge Transfer and Handover Integrity
- Examine evidence that critical administrative passwords or master keys held by the individual were changed or handed over.
- Confirm that the individual no longer possesses unique knowledge that creates a “single point of failure” for asset access.
- Result: Maintenance of operational resilience and security continuity post-departure.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Annex A 5.11 Audit Checklist
| Item | What to Check | Audit Evidence Example | GRC Platform Check |
|---|---|---|---|
| 1 | Asset Return Policy | Review the formal policy for clarity on employee and contractor return obligations. | Policy module: Approved “Return of Assets” document. |
| 2 | Offboarding Integration | Verify that the HR exit process triggers a notification to IT for asset recovery. | Workflow module: HR to IT handover task status. |
| 3 | Physical Asset Recovery | Sample recent leavers to verify physical return of laptops, mobiles, and tokens. | Asset module: Item status updated to “Returned” or “In Stock”. |
| 4 | ROE Accuracy | Check the Asset Register or Record of Equipment (ROE) for leaver return signatures. | Document module: Uploaded signed ROE return forms. |
| 5 | Logical Access Revocation | Audit IAM logs to ensure accounts were disabled on or before the final day of service. | IAM module: User status set to “Inactive” or “Deleted”. |
| 6 | MFA De-provisioning | Confirm that Multi-Factor Authentication seeds and hardware keys have been revoked. | Security module: MFA token revocation logs. |
| 7 | Knowledge Transfer | Check evidence that administrative passwords or master keys were handed over and changed. | Task module: Handover completion and password rotation logs. |
| 8 | Intangible Asset Recovery | Verify that access to proprietary code, cloud instances, and sensitive IP was removed. | User Access Review: Removal of leaver from GitHub/AWS groups. |
| 9 | Secure Sanitisation | Inspect records for data wiping or destruction of storage media from returned devices. | Evidence module: Sanitisation logs or destruction certificates. |
| 10 | Role Change Review | Verify that assets no longer required for a new internal role were returned. | Audit log: Asset transfer or return triggered by internal role change. |
Return of Assets Checklist
| Asset Type | Action Required | Evidence | ISO 27001:2022 Control |
|---|---|---|---|
| Physical Hardware | Return Laptop, Phone, Keys, Access Badge. | Signed “Equipment Return Form”. | Annex A 5.11 / 7.2 |
| Digital Accounts | Disable Active Directory / Email / SaaS Accounts. | Ticket closed by IT. | Annex A 5.11 / 5.18 |
| BYOD (Personal) | Wipe Company Email/Teams from personal phone. | Signed “Data Deletion Declaration”. | Annex A 5.11 / 6.7 |
| Intellectual Property | Return paper files / notebooks. | Exit Interview Note. | Annex A 5.11 / 5.13 |
ISO 27001 Templates
The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification and having ISO 27001 templates can help fast track your ISO 27001 implementation. The following templates are designed for ISO 27001 Return Of Assets:
ISO 27001 Asset Management Policy Template
Download the Asset Management Policy Template
ISO 27001 Physical Asset Register Template
Download the Physical Asset Register Template
ISO 27001 Data Asset Register Template
Download the Data Asset Register Template
How to comply
To comply with ISO 27001 Annex A 5.11 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Put in place contracts with employees and third parties that covers the use and return of assets
- Implement your HR Starter, Leaver, Mover process that includes assets
- Allocate assets to individuals and maintain a record
- On termination of contract ensure the secure transport and return of the asset
- Implement a process to securely store returned assets before reuse or reallocation
- Consider the remote wiping, as appropriate, of assets and devices before transport when returning
- Where employees and third parties use their own devices ensures processes are in place and followed for the deletion of company data assets
- Consider the documentation and knowledge transfer from employees and third parties
- Put in place appropriate controls during the notice period to prevent copying of information and intellectual property
How to pass the ISO 27001 Annex A 5.11 audit
To pass an audit of ISO 27001 Annex A 5.11 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. There is a starter, leaver, mover process
The audit will check you have a starter, leaver, mover process documented and that you are following it. It will check that the return of assets is included in that process. It will then seek evidence that it has been followed at least once. They will randomly choose a sample of leavers and ask you to walk through what you did when you left. They are checking that you followed your written process and have evidence that the assets were returned.
2. There is an up to date asset register
The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. Where assets are returned, even if not reallocated, they will want to see that recorded in the asset register. They may then ask questions arounds the physical security of stored assets – such as are they locked away, who has access, what is the process for secure disposal / destruction.
3. Contracts are in place
They are going to look at your employee contracts and your third party contracts and see if the return of assets is mentioned and covered. There are other security clauses that are required, but where appropriate, they want to see that contracts cover the return of assets. This can include the deletion of data and information where personal or Bring Your Own Devices have been allowed and used. It would be sensible for them to sample any BYOD devices that belong to people that have left to ask you how you ensured data was deleted. Clearly they will not audit the actually device but the process you went through and the assurances that you got.
Top 3 ISO 27001 Annex A 5.11 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.11 are
1. Your asset register is not up to date
Either not having an asset register, an asset register that does not record all devices or an asset register that is out of date is the number 1 mistake people make. Usually as it is admin step that can get lost in the course of running a business.
2. Assets were not destroyed securely
Not a direct response to the the return of assets but they do check secure destruction and that it followed process. It is a common for organisations to have a room full of old assets that they do not know what to do with so keep them for ever. It can be a nightmare in time as no one knows why we keep them, what is on them and if we need them which brings up legal, regulatory and contractual issues.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.11 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Physical Keys & Basic Hardware. For small teams, assets are often physical. Compliance focuses on retrieving office keys, laptops, and ensuring no company data remains on personal phones (BYOD). |
• Exit Checklist: A manual sign-off sheet confirming the return of office keys and the company credit card before the final paycheck is released. • BYOD Wipe: A “Data Deletion Declaration” signed by the leaver confirming they have removed company email and WhatsApp chats from their personal device. |
| Tech Startups |
Developer Laptops & Local Code. The biggest risk is code sitting on a developer’s local machine. “Return of Assets” implies ensuring that the intellectual property (code) is wiped or returned to the central repo. |
• MDM Lock: Using Mobile Device Management (e.g., Jamf or Kandji) to remotely lock and wipe the corporate MacBook immediately upon termination. • Asset Re-imaging: A procedure to re-image returned laptops to a clean state before reassigning them to new hires, ensuring no residual data exists. |
| AI Companies |
Research Data & Weights. Assets include “Knowledge Assets.” Ensuring that researchers return local copies of datasets, model weights, or unpublished papers stored on local drives or personal clouds. |
• Data Transfer Audit: Checking the leaver’s local storage and cloud transfer logs to ensure no proprietary training data was “backed up” to a personal drive before exit. • Access Token Revocation: Immediate invalidation of any personal API tokens (e.g., Hugging Face, OpenAI) associated with the leaver’s identity. |
Fast Track ISO 27001 Annex A 5.11 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.11 (Return of assets), the requirement is to ensure that employees and contractors return all organizational assets in their possession upon change or termination of their contract. This is a critical physical and procedural control designed to protect sensitive data and intellectual property.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to offboarding rules; if you cancel the subscription, your documented return standards and leaver history vanish. | Permanent Assets: Fully editable Word/Excel Asset Management Policies and Checklists you own forever. | A localized “Return of Assets Procedure” defining mandatory data deletion for BYOD devices and physical key returns. |
| Operational Utility | Attempts to “automate” offboarding via dashboards that cannot physically collect laptops or verify the return of physical keys. | Governance-First: Provides the framework to formalize your existing HR and IT “Leaver” workflows into an auditor-ready system. | A completed “Return of Assets Checklist” signed by both the leaver and IT/HR to prove all hardware was recovered. |
| Cost Efficiency | Charges a “Headcount Tax” or “Leaver Fee” that scales costs as your company grows and staff turnover occurs. | One-Off Fee: A single payment covers your return governance for 2 employees a year or 2,000. | Allocating budget to remote-wipe software or courier recovery services rather than monthly “compliance dashboard” fees. |
| Strategic Freedom | Mandates rigid reporting formats that often fail to align with unique office setups or flexible remote-work models. | 100% Agnostic: Procedures adapt to your environment—IT collection desks, mail-back services, or remote-wipe protocols. | The ability to evolve your HR strategy and offboarding checklists without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 5.11, the auditor wants to see that you have a formal process for the return of assets and proof that you follow it (e.g., signed return forms and updated asset registers). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.11 Applicable Laws and Related Standards
| Framework / Law | Reference Clause | Mapping Context and Requirement |
|---|---|---|
| GDPR / UK Data (Use and Access) Act 2025 | Article 32 (Security of Processing) | Mandates the recovery of all personal data assets and access revocation upon termination to prevent unauthorised processing by former staff. |
| NIS2 / UK Cyber Security and Resilience Bill | Article 21 (HR Security) | Requires strict offboarding procedures for entities in essential sectors to ensure that critical infrastructure access is terminated and hardware is recovered. |
| DORA (Digital Operational Resilience Act) | Article 9 (Protection and Prevention) | Financial entities must ensure that ICT asset return is part of a formal termination process to maintain operational resilience and prevent insider threats. |
| NIST CSF 2.0 | PR.AA-06 (Asset Recovery) | Focuses on the lifecycle management of assets, specifically requiring that assets be returned and access revoked when an individual no longer requires them. |
| SOC2 (Trust Services Criteria) | CC6.1 (Access Revocation) | Requires evidence that access to systems and the physical return of assets occur promptly upon an employee’s or contractor’s termination. |
| EU AI Act / AI Standards | Article 15 (Cybersecurity) | Mandates that access to high-risk AI training environments and proprietary models is revoked to prevent IP theft or model tampering during offboarding. |
| HIPAA Security Rule | 45 CFR § 164.308(a)(3) | Requires “Termination Procedures” to ensure that access to Electronic Protected Health Information (ePHI) is ended and hardware recovered. |
| CCPA / CPRA (California) | Section 1798.100 | Necessitates the recovery of devices containing consumer data to ensure the organisation can fulfill data deletion and security obligations. |
| CIRCIA (USA) | Asset Integrity | Implicitly requires that assets recovered during offboarding are sanitised to prevent “incident triggers” caused by lost or stolen hardware. |
| EU Product Liability Directive (PLD) | Software Liability | Requires providers to maintain control over software development assets, ensuring departing developers return all source code and access keys. |
| ECCF (European Cybersecurity Cert. Framework) | Certification Integrity | Standardised security labels require proof that the developer lifecycle includes the secure recovery of all assets used to build and certify the product. |
ISO 27001 Annex A 5.11 FAQ
What is ISO 27001 Annex A 5.11?
ISO 27001 Annex A 5.11 is an organisational control that requires all employees and external parties to return all organisational assets in their possession upon termination of their employment, contract, or agreement.
- Ensures that hardware, software, and physical data do not remain with unauthorised individuals.
- Protects intellectual property and proprietary information.
- Forms a critical part of the formalised offboarding lifecycle.
- Applies to both permanent staff and third-party contractors.
Is a formal asset return policy mandatory?
Yes, a documented policy or procedure for the return of assets is essential to satisfy the requirements of Annex A 5.11 and provide legal standing for equipment recovery.
- It defines clear timelines for the return of equipment.
- It outlines the specific roles and responsibilities of HR, IT, and management.
- It establishes the legal right to recover costs for unreturned items where applicable.
- It provides a repeatable framework for auditors to verify compliance.
What items are included in the return of assets?
The scope of Annex A 5.11 extends beyond physical hardware to include all types of information and organisational property.
- Physical hardware: Laptops, mobile phones, tablets, and monitors.
- Access credentials: ID badges, physical keys, and MFA tokens.
- Information assets: Intellectual property, customer data, and printed documentation.
- Digital assets: Backups, software licenses, and cloud-stored corporate files.
Who is responsible for the return of assets?
The responsibility for managing the return of assets is typically shared across HR, IT, and the departing individual’s line manager.
- HR: Initiates the offboarding workflow and communicates final requirements to the leaver.
- IT: Verifies the return and functional state of technical hardware and digital data.
- Line Manager: Ensures physical hand-overs occur and access cards are recovered on the final day.
- Individual: Contractually obligated to return all property in their possession.
Does Annex A 5.11 cover digital data and files?
Yes, digital information assets are a core focus of Annex A 5.11, requiring users to return or delete corporate data stored on personal or external devices.
- Includes the removal of corporate email accounts from personal smartphones.
- Requires the handover of any administrative passwords or encryption keys.
- Mandates the return of physical storage media like USB drives or external hard disks.
- Covers intellectual property created during the term of employment.
What evidence do auditors look for during an ISO 27001 audit?
Auditors seek verifiable proof that the asset return process is being consistently followed for every individual leaving the organisation.
- Signed offboarding checklists for recent leavers.
- Updated asset registers showing the change in equipment status.
- Records of access card deactivation and key recovery.
- Evidence that digital accounts were disabled in tandem with asset return.
What happens if an employee fails to return organisational assets?
Failure to return assets should be treated as a security incident and managed through defined legal and contractual escalations.
- Immediate remote wiping of mobile devices and laptops where technically possible.
- Reporting unreturned items to insurance providers for replacement recovery.
- Legal communication regarding the retention of intellectual property.
- Withholding final settlement amounts where permitted by local employment laws.
ISO 27001 Related Controls and Further Reading
The following mapping table establishes a high-authority topic cluster for ISO 27001 Annex A 5.11, structured to meet the “Diamond Standard” for AI search and semantic SEO. By interlinking these related controls and resources, we provide a clear roadmap for both human readers and AI crawlers to understand the structural dependencies of the offboarding lifecycle. Descriptions are written from the perspective of Stuart Barker, Lead Auditor, to provide technical context on how these pages support the central mandate of asset recovery.
- A Practical Guide: How to Implement ISO 27001:2022 Annex A 5.11 – Return of Assets
- How to Audit ISO 27001 Annex A 5.11: A Practical Guide to Return of Assets
- ISO 27001 Annex A 5.11 Return of Assets: A 10-Point Implementation Checklist
- The Ultimate 10-Point Audit Checklist for ISO 27001 Return of Assets (A.5.11)
- A Practical Guide for SMEs: Mastering ISO 27001 Annex A 5.11 – Return of Assets
- A Guide for AI Companies to ISO 27001 Annex A 5.11: Return of Assets
- A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.11: Return of Assets
- ISO 27001 Return of Assets Beginner’s Guide
- ISO 27001 Asset Management Policy Beginner’s Guide
- ISO 27001 Physical Asset Register Beginner’s Guide
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Asset management | Protection |
| Integrity | ||||
| Availability |
About the author
