Auditing ISO 27001 Annex A 7.9 Security of Assets Off-Premises is the technical verification of security controls for devices used outside the organisation’s perimeter. The Primary Implementation Requirement is full-disk encryption and remote wipe capability, providing the Business Benefit of protecting data against loss or theft.
ISO 27001 Annex A 7.9 Security of Assets Off-Premises Audit Checklist
This technical verification tool is designed for lead auditors to establish the continuous protection of organisational assets when used outside the primary security perimeter. Use this checklist to validate compliance with ISO 27001 Annex A 7.9.
1. Off-Premises Asset Usage Policy Verified
Verification Criteria: A documented policy exists that explicitly defines the authorisation requirements and security standards for assets taken off-premises.
Required Evidence: Approved “Off-Premises Asset Policy” or “Mobile Working Policy” with evidence of senior management sign-off.
Pass/Fail Test: If the organisation cannot produce a formal policy governing the removal and usage of assets outside the office, mark as Non-Compliant.
2. Asset Authorisation and Removal Logs Confirmed
Verification Criteria: Every instance of an asset leaving the premises is authorised by management and recorded in a log or tracking system.
Required Evidence: Asset movement logs or digital “Removal of Assets” request approvals in the ITSM or HR system.
Pass/Fail Test: If a physical inspection reveals assets missing from the office that have no corresponding authorisation record or removal log, mark as Non-Compliant.
3. Full Disk Encryption (FDE) Enforcement Validated
Verification Criteria: All portable assets (laptops, tablets, external drives) are protected by technical full-disk encryption to prevent data exposure upon loss or theft.
Required Evidence: MDM (Mobile Device Management) or Endpoint Protection reports showing “Encrypted” status for all off-premises endpoints.
Pass/Fail Test: If a sampled laptop assigned for remote use is found to have BitLocker, FileVault, or equivalent encryption disabled, mark as Non-Compliant.
4. Physical Protection in Transit Verified
Verification Criteria: Personnel are formally required to maintain physical custody of assets during transit and avoid leaving them unattended in public places or vehicles.
Required Evidence: Signed “Asset Acceptance Form” containing specific transit security mandates or training logs covering physical asset protection.
Pass/Fail Test: If the organisation lacks a signed commitment from personnel regarding the physical safeguarding of assets in public spaces, mark as Non-Compliant.
5. Remote Wipe and Tracking Capabilities Confirmed
Verification Criteria: Technical controls are in place to remotely lock or wipe off-premises assets in the event they are reported as lost or stolen.
Required Evidence: MDM dashboard screenshots showing “Remote Wipe” functionality and logs of any historical wipe commands executed.
Pass/Fail Test: If the organisation cannot technically execute a remote wipe on a lost mobile asset within its current infrastructure, mark as Non-Compliant.
6. Secure Connection (VPN) Mandate Validated
Verification Criteria: Technical configurations ensure that off-premises assets must use a secure encrypted tunnel (VPN/SD-WAN) to access internal organisational resources.
Required Evidence: VPN configuration profiles on a sampled device or firewall logs showing remote connections limited to authorised secure tunnels.
Pass/Fail Test: If a remote asset can access internal file shares or sensitive applications over a public internet connection without a VPN, mark as Non-Compliant.
7. Off-Premises Asset Maintenance and Patching Verified
Verification Criteria: Assets used off-premises receive regular security patches and antivirus updates despite not being connected to the local office network.
Required Evidence: Patch management reports (e.g. Intune or Jamf) showing “Up-to-Date” status for assets that have not connected to the office in >30 days.
Pass/Fail Test: If off-premises assets show a significant lag in critical security patches compared to on-premises assets, mark as Non-Compliant.
8. Inventory Reconciliation for Off-Premises Assets Confirmed
Verification Criteria: The organisation performs periodic physical or digital audits to confirm the location and status of all assets assigned for off-premises use.
Required Evidence: Annual asset reconciliation report or timestamped MDM “Last Seen” reports for the entire inventory.
Pass/Fail Test: If the organisation cannot verify the “Last Seen” status of a sampled off-premises asset within the previous 90 days, mark as Non-Compliant.
9. Removal of Sensitive Information from Public Display Verified
Verification Criteria: Procedures or technical tools (e.g. privacy filters) are used to prevent unauthorised viewing of sensitive data in public spaces.
Required Evidence: Physical sighting of privacy filters on sampled remote laptops or documented guidance on “shoulder surfing” in the remote work policy.
Pass/Fail Test: If staff are found working on high-sensitivity data in public areas without privacy filters or documented caution, mark as Non-Compliant.
10. Secure Disposal of Off-Premises Asset Data Confirmed
Verification Criteria: When an off-premises asset is returned or decommissioned, a formalised process ensures the secure erasure of all stored data.
Required Evidence: Certificates of data destruction or technician logs verifying the factory reset/wipe of returned hardware.
Pass/Fail Test: If a returned laptop is re-imaged or re-issued without a verified data sanitisation step being recorded, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Asset Authorisation | Tool checks if an employee has a “Laptop” assigned in HR software. | Verify the Exit Log. The auditor must see the management approval for the physical removal of the asset from the building. |
| Encryption | GRC tool identifies “Encryption Policy” as ‘Uploaded’. | Demand the MDM Report. A policy does not encrypt a disk; the auditor must see the technical proof of 100% disk coverage. |
| Physical Custody | Tool marks “Compliant” because a training video was watched. | Verify Liability. Does the signed agreement explicitly hold the user responsible for leaving assets in cars or public cafes? |
| Remote Wipe | Platform shows a “Feature List” of the MDM provider. | Test the Execution. The auditor should see a log entry of a successful wipe for a lost device from the last 12 months. |
| Patch Management | SaaS tool verifies the “Patch Policy” frequency. | Check Offline Compliance. Assets used off-premises often miss patches if the GRC tool only monitors the office LAN. |
| Inventory Integrity | Tool identifies assets as “In Use” based on the purchase date. | Verify the Ping. If a laptop hasn’t checked into the MDM for 6 months, it is effectively lost/unmanaged, regardless of GRC status. |
| Data Sanitisation | Platform identifies a “Wiping Task” was completed. | Demand the Certificate. Lazy auditors accept “Re-imaged” as wiped; real auditors require a cryptographic erase verification. |
About the author
