Auditing ISO 27001 Annex A 7.13 Security of Assets Off-premises is the critical evaluation of technical controls protecting devices outside secure perimeters. The Primary Implementation Requirement involves enforcing full-disk encryption and remote wiping, providing the Business Benefit of mitigating data leakage risks from stolen or lost physical assets.
ISO 27001 Annex A 7.13 Security of Assets Off-premises Audit Checklist
This technical verification tool is designed for lead auditors to establish the continuous protection of organisational assets when used outside the primary security perimeter. Use this checklist to validate compliance with ISO 27001 Annex A 7.13.
1. Off-premises Asset Authorisation Records Verified
Verification Criteria: Every instance of an information processing asset being removed from the organisation’s premises is supported by a documented authorisation from an appropriate level of management.
Required Evidence: Approved Asset Removal Requests or digital authorisation logs within the ITSM or HR system.
Pass/Fail Test: If a physical asset is missing from the office but has no corresponding recorded management approval for its removal, mark as Non-compliant.
2. Off-premises Asset Security Policy Formalised
Verification Criteria: A documented policy exists that explicitly defines the security standards, handling requirements, and personal responsibilities for assets used in remote or public environments.
Required Evidence: Approved “Mobile Working Policy” or “Off-premises Asset Policy” with evidence of recent management review.
Pass/Fail Test: If the organisation lacks a formalised set of rules for protecting assets outside the office (e.g., in transit or home offices), mark as Non-compliant.
3. Full Disk Encryption (FDE) Enforcement Validated
Verification Criteria: Technical controls are active on all portable devices to ensure that data remains inaccessible in the event of theft or loss during off-premises use.
Required Evidence: MDM (Mobile Device Management) or Endpoint Management reports showing “Encrypted” status for 100% of sampled remote endpoints.
Pass/Fail Test: If a sampled off-premises laptop is found to have BitLocker, FileVault, or equivalent encryption disabled or not managed centrally, mark as Non-compliant.
4. Physical Protection Training and Awareness Verified
Verification Criteria: Personnel are formally required to maintain physical custody of assets in transit and avoid leaving them unattended in public places or unmonitored vehicles.
Required Evidence: Signed “Asset Acceptance Forms” containing transit security clauses and training logs covering physical theft prevention.
Pass/Fail Test: If the organisation cannot prove that users were briefed on the specific risks of leaving hardware in vehicles or public spaces, mark as Non-compliant.
5. Remote Wipe and Tracking Capabilities Confirmed
Verification Criteria: The organisation possesses the technical capability to remotely lock, locate, or wipe off-premises assets that are reported as lost or stolen.
Required Evidence: MDM dashboard screenshots demonstrating remote command functionality and logs of any historical wipe executions.
Pass/Fail Test: If the organisation cannot technically execute a remote wipe command on a sampled mobile asset, mark as Non-compliant.
6. Secure Connection (VPN) Mandate Validated
Verification Criteria: Technical configurations ensure that off-premises assets must utilise a secure encrypted tunnel to access internal organisational resources.
Required Evidence: VPN configuration profiles on endpoints or firewall logs showing remote access limited to authorised encrypted tunnels.
Pass/Fail Test: If a remote asset can access internal file shares or sensitive SaaS applications over public internet without an active VPN or ZTNA tunnel, mark as Non-compliant.
7. Off-premises Asset Maintenance and Patching Verified
Verification Criteria: Assets used primarily off-premises receive regular security patches and antivirus updates despite their physical location.
Required Evidence: Patch management dashboard showing “Compliant” status for devices that have not connected to the local office network for >30 days.
Pass/Fail Test: If off-premises assets show a significant lag in critical security updates compared to on-premises assets, mark as Non-compliant.
8. Public Display Privacy Controls Confirmed
Verification Criteria: Procedures or technical tools are utilised to prevent the unauthorised viewing of sensitive data on screens in public spaces (“shoulder surfing”).
Required Evidence: Physical sighting of privacy filters on sampled remote hardware or documented guidance on visual privacy in the remote work policy.
Pass/Fail Test: If staff handling high-sensitivity data are found working in public areas without privacy filters or explicit visual security guidance, mark as Non-compliant.
9. Off-premises Asset Inventory Reconciliation Verified
Verification Criteria: The organisation performs periodic audits to confirm the location, status, and integrity of all assets assigned for off-premises use.
Required Evidence: Annual asset reconciliation report or timestamped “Last Seen” reports for the entire mobile asset inventory.
Pass/Fail Test: If the organisation cannot verify the “Last Seen” status or physical existence of a sampled off-premises asset within the previous 90 days, mark as Non-compliant.
10. Return of Assets Procedure Integrity Validated
Verification Criteria: A formalised process ensures that all off-premises assets are returned, inspected, and securely wiped upon termination of employment or role change.
Required Evidence: Signed Off-boarding Checklists and technical logs confirming data sanitisation before asset reissue.
Pass/Fail Test: If an asset returned from off-premises use is reissued to a different user without a recorded data wipe/sanitisation step, mark as Non-compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Asset Authorisation | Tool checks if an employee has a laptop “assigned” in HR software. | Demand the Removal Log. The tool doesn’t know if the user walked out with a 2nd unassigned monitor or server drive. |
| Encryption Status | SaaS tool identifies “Encryption Policy” is ‘Uploaded’. | Demand the MDM Report. A policy is intent; the auditor must see the actual 100% encryption coverage report. |
| Physical Custody | Platform marks “Compliant” because a training video was “Watched”. | Verify Liability. The auditor must check for signed acceptance of responsibility for unattended assets. |
| Remote Wipe | Tool shows a “Feature List” of the MDM provider. | Test the Execution. The auditor should see a log of a successful test wipe for a decommissioned test device. |
| Patch Management | Tool marks “Patching Active” based on an office LAN scan. | Check Offline Compliance. Assets used off-premises often miss patches if the scanner only checks the internal network. |
| Inventory Integrity | Platform identifies assets as “In Use” based on purchase date. | Verify the Ping. If a laptop hasn’t checked into MDM for 6 months, it is effectively lost/unmanaged regardless of GRC status. |
| Visual Privacy | Tool logs that a “Clear Screen Policy” was marked as ‘Read’. | Verify Hardware. GRC tools cannot see if a manager’s monitor faces a glass wall in a public café. |
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
About the author
