4. Physical Protection Training and Awareness Verified

Verification Criteria: Personnel are formally required to maintain physical custody of assets in transit and avoid leaving them unattended in public places or unmonitored vehicles. Required Evidence: Signed "Asset Acceptance Forms" containing transit security clauses and training logs covering physical theft prevention. Pass/Fail Test: If the organisation cannot prove that users were briefed on the specific risks of leaving hardware in vehicles or public spaces, mark as Non-compliant.

5. Remote Wipe and Tracking Capabilities Confirmed

Verification Criteria: The organisation possesses the technical capability to remotely lock, locate, or wipe off-premises assets that are reported as lost or stolen. Required Evidence: MDM dashboard screenshots demonstrating remote command functionality and logs of any historical wipe executions. Pass/Fail Test: If the organisation cannot technically execute a remote wipe command on a sampled mobile asset, mark as Non-compliant.

6. Secure Connection (VPN) Mandate Validated

Verification Criteria: Technical configurations ensure that off-premises assets must utilise a secure encrypted tunnel to access internal organisational resources. Required Evidence: VPN configuration profiles on endpoints or firewall logs showing remote access limited to authorised encrypted tunnels. Pass/Fail Test: If a remote asset can access internal file shares or sensitive SaaS applications over public internet without an active VPN or ZTNA tunnel, mark as Non-compliant.

7. Off-premises Asset Maintenance and Patching Verified

Verification Criteria: Assets used primarily off-premises receive regular security patches and antivirus updates despite their physical location. Required Evidence: Patch management dashboard showing "Compliant" status for devices that have not connected to the local office network for >30 days. Pass/Fail Test: If off-premises assets show a significant lag in critical security updates compared to on-premises assets, mark as Non-compliant.

8. Public Display Privacy Controls Confirmed

Verification Criteria: Procedures or technical tools are utilised to prevent the unauthorised viewing of sensitive data on screens in public spaces ("shoulder surfing"). Required Evidence: Physical sighting of privacy filters on sampled remote hardware or documented guidance on visual privacy in the remote work policy. Pass/Fail Test: If staff handling high-sensitivity data are found working in public areas without privacy filters or explicit visual security guidance, mark as Non-compliant.

9. Off-premises Asset Inventory Reconciliation Verified

Verification Criteria: The organisation performs periodic audits to confirm the location, status, and integrity of all assets assigned for off-premises use. Required Evidence: Annual asset reconciliation report or timestamped "Last Seen" reports for the entire mobile asset inventory. Pass/Fail Test: If the organisation cannot verify the "Last Seen" status or physical existence of a sampled off-premises asset within the previous 90 days, mark as Non-compliant.

10. Return of Assets Procedure Integrity Validated

Verification Criteria: A formalised process ensures that all off-premises assets are returned, inspected, and securely wiped upon termination of employment or role change. Required Evidence: Signed Off-boarding Checklists and technical logs confirming data sanitisation before asset reissue. Pass/Fail Test: If an asset returned from off-premises use is reissued to a different user without a recorded data wipe/sanitisation step, mark as Non-compliant.

ISO 27001 Annex A 7.13 Audit Checklist [+ Templates]

Q: 1. Off-premises Asset Authorisation Records Verified

Verification Criteria: Every instance of an information processing asset being removed from the organisation's premises is supported by a documented authorisation from an appropriate level of management. Required Evidence: Approved Asset Removal Requests or digital authorisation logs within the ITSM or HR system. Pass/Fail Test: If a physical asset is missing from the office but has no corresponding recorded management approval for its removal, mark as Non-compliant.

Q: 2. Off-premises Asset Security Policy Formalised

Verification Criteria: A documented policy exists that explicitly defines the security standards, handling requirements, and personal responsibilities for assets used in remote or public environments. Required Evidence: Approved "Mobile Working Policy" or "Off-premises Asset Policy" with evidence of recent management review. Pass/Fail Test: If the organisation lacks a formalised set of rules for protecting assets outside the office (e.g., in transit or home offices), mark as Non-compliant.

Q: 3. Full Disk Encryption (FDE) Enforcement Validated

Verification Criteria: Technical controls are active on all portable devices to ensure that data remains inaccessible in the event of theft or loss during off-premises use. Required Evidence: MDM (Mobile Device Management) or Endpoint Management reports showing "Encrypted" status for 100% of sampled remote endpoints. Pass/Fail Test: If a sampled off-premises laptop is found to have BitLocker, FileVault, or equivalent encryption disabled or not managed centrally, mark as Non-compliant.

In this ultimate how to audit guide to ISO 27001 Annex A 7.13 Security of Assets Off-premises, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.13 Security of Assets Off-premises Audit Checklist

ISO 27001 Annex A 7.13 Security of Assets Off-premises Audit Checklist

Auditing ISO 27001 Annex A 7.13 Security of Assets Off-premises is the critical evaluation of technical controls protecting devices outside secure perimeters. The Primary Implementation Requirement involves enforcing full-disk encryption and remote wiping, providing the Business Benefit of mitigating data leakage risks from stolen or lost physical assets.

This technical verification tool is designed for lead auditors to establish the continuous protection of organisational assets when used outside the primary security perimeter. Use this checklist to validate compliance with ISO 27001 Annex A 7.13.

1. Off-premises Asset Authorisation Records Verified

Verification Criteria: Every instance of an information processing asset being removed from the organisation’s premises is supported by a documented authorisation from an appropriate level of management.

Required Evidence: Approved Asset Removal Requests or digital authorisation logs within the ITSM or HR system.

Pass/Fail Test: If a physical asset is missing from the office but has no corresponding recorded management approval for its removal, mark as Non-compliant.

2. Off-premises Asset Security Policy Formalised

Verification Criteria: A documented policy exists that explicitly defines the security standards, handling requirements, and personal responsibilities for assets used in remote or public environments.

Required Evidence: Approved “Mobile Working Policy” or “Off-premises Asset Policy” with evidence of recent management review.

Pass/Fail Test: If the organisation lacks a formalised set of rules for protecting assets outside the office (e.g., in transit or home offices), mark as Non-compliant.

3. Full Disk Encryption (FDE) Enforcement Validated

Verification Criteria: Technical controls are active on all portable devices to ensure that data remains inaccessible in the event of theft or loss during off-premises use.

Required Evidence: MDM (Mobile Device Management) or Endpoint Management reports showing “Encrypted” status for 100% of sampled remote endpoints.

Pass/Fail Test: If a sampled off-premises laptop is found to have BitLocker, FileVault, or equivalent encryption disabled or not managed centrally, mark as Non-compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

How to Audit ISO 27001 Annex A 7.13: Security of Assets Off-premises

Table of contents

ISO 27001 Annex A 7.13 Security of Assets Off-premises Audit Checklist

1. Off-premises Asset Authorisation Records Verified

2. Off-premises Asset Security Policy Formalised

3. Full Disk Encryption (FDE) Enforcement Validated