4. Physical Protection in Transit Verified

Verification Criteria: Personnel are formally required to maintain physical custody of assets during transit and avoid leaving them unattended in public places or vehicles. Required Evidence: Signed "Asset Acceptance Form" containing specific transit security mandates or training logs covering physical asset protection. Pass/Fail Test: If the organisation lacks a signed commitment from personnel regarding the physical safeguarding of assets in public spaces, mark as Non-Compliant.

5. Remote Wipe and Tracking Capabilities Confirmed

Verification Criteria: Technical controls are in place to remotely lock or wipe off-premises assets in the event they are reported as lost or stolen. Required Evidence: MDM dashboard screenshots showing "Remote Wipe" functionality and logs of any historical wipe commands executed. Pass/Fail Test: If the organisation cannot technically execute a remote wipe on a lost mobile asset within its current infrastructure, mark as Non-Compliant.

6. Secure Connection (VPN) Mandate Validated

Verification Criteria: Technical configurations ensure that off-premises assets must use a secure encrypted tunnel (VPN/SD-WAN) to access internal organisational resources. Required Evidence: VPN configuration profiles on a sampled device or firewall logs showing remote connections limited to authorised secure tunnels. Pass/Fail Test: If a remote asset can access internal file shares or sensitive applications over a public internet connection without a VPN, mark as Non-Compliant.

7. Off-Premises Asset Maintenance and Patching Verified

Verification Criteria: Assets used off-premises receive regular security patches and antivirus updates despite not being connected to the local office network. Required Evidence: Patch management reports (e.g. Intune or Jamf) showing "Up-to-Date" status for assets that have not connected to the office in >30 days. Pass/Fail Test: If off-premises assets show a significant lag in critical security patches compared to on-premises assets, mark as Non-Compliant.

8. Inventory Reconciliation for Off-Premises Assets Confirmed

Verification Criteria: The organisation performs periodic physical or digital audits to confirm the location and status of all assets assigned for off-premises use. Required Evidence: Annual asset reconciliation report or timestamped MDM "Last Seen" reports for the entire inventory. Pass/Fail Test: If the organisation cannot verify the "Last Seen" status of a sampled off-premises asset within the previous 90 days, mark as Non-Compliant.

9. Removal of Sensitive Information from Public Display Verified

Verification Criteria: Procedures or technical tools (e.g. privacy filters) are used to prevent unauthorised viewing of sensitive data in public spaces. Required Evidence: Physical sighting of privacy filters on sampled remote laptops or documented guidance on "shoulder surfing" in the remote work policy. Pass/Fail Test: If staff are found working on high-sensitivity data in public areas without privacy filters or documented caution, mark as Non-Compliant.

10. Secure Disposal of Off-Premises Asset Data Confirmed

Verification Criteria: When an off-premises asset is returned or decommissioned, a formalised process ensures the secure erasure of all stored data. Required Evidence: Certificates of data destruction or technician logs verifying the factory reset/wipe of returned hardware. Pass/Fail Test: If a returned laptop is re-imaged or re-issued without a verified data sanitisation step being recorded, mark as Non-Compliant.

ISO 27001 Annex A 7.9 Audit Checklist [+ Templates]

Q: 1. Off-Premises Asset Usage Policy Verified

Verification Criteria: A documented policy exists that explicitly defines the authorisation requirements and security standards for assets taken off-premises. Required Evidence: Approved "Off-Premises Asset Policy" or "Mobile Working Policy" with evidence of senior management sign-off. Pass/Fail Test: If the organisation cannot produce a formal policy governing the removal and usage of assets outside the office, mark as Non-Compliant.

Q: 2. Asset Authorisation and Removal Logs Confirmed

Verification Criteria: Every instance of an asset leaving the premises is authorised by management and recorded in a log or tracking system. Required Evidence: Asset movement logs or digital "Removal of Assets" request approvals in the ITSM or HR system. Pass/Fail Test: If a physical inspection reveals assets missing from the office that have no corresponding authorisation record or removal log, mark as Non-Compliant.

Q: 3. Full Disk Encryption (FDE) Enforcement Validated

Verification Criteria: All portable assets (laptops, tablets, external drives) are protected by technical full-disk encryption to prevent data exposure upon loss or theft. Required Evidence: MDM (Mobile Device Management) or Endpoint Protection reports showing "Encrypted" status for all off-premises endpoints. Pass/Fail Test: If a sampled laptop assigned for remote use is found to have BitLocker, FileVault, or equivalent encryption disabled, mark as Non-Compliant.

In this ultimate how to audit guide to ISO 27001 Annex A 7.9 Security of Assets Off-Premises, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.9 Security of Assets Off-Premises Audit Checklist

ISO 27001 Annex A 7.9 Security of Assets Off-Premises Audit Checklist

Auditing ISO 27001 Annex A 7.9 Security of Assets Off-Premises is the technical verification of security controls for devices used outside the organisation’s perimeter. The Primary Implementation Requirement is full-disk encryption and remote wipe capability, providing the Business Benefit of protecting data against loss or theft.

This technical verification tool is designed for lead auditors to establish the continuous protection of organisational assets when used outside the primary security perimeter. Use this checklist to validate compliance with ISO 27001 Annex A 7.9.

1. Off-Premises Asset Usage Policy Verified

Verification Criteria: A documented policy exists that explicitly defines the authorisation requirements and security standards for assets taken off-premises.

Required Evidence: Approved “Off-Premises Asset Policy” or “Mobile Working Policy” with evidence of senior management sign-off.

Pass/Fail Test: If the organisation cannot produce a formal policy governing the removal and usage of assets outside the office, mark as Non-Compliant.

2. Asset Authorisation and Removal Logs Confirmed

Verification Criteria: Every instance of an asset leaving the premises is authorised by management and recorded in a log or tracking system.

Required Evidence: Asset movement logs or digital “Removal of Assets” request approvals in the ITSM or HR system.

Pass/Fail Test: If a physical inspection reveals assets missing from the office that have no corresponding authorisation record or removal log, mark as Non-Compliant.

3. Full Disk Encryption (FDE) Enforcement Validated

Verification Criteria: All portable assets (laptops, tablets, external drives) are protected by technical full-disk encryption to prevent data exposure upon loss or theft.

Required Evidence: MDM (Mobile Device Management) or Endpoint Protection reports showing “Encrypted” status for all off-premises endpoints.

Pass/Fail Test: If a sampled laptop assigned for remote use is found to have BitLocker, FileVault, or equivalent encryption disabled, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

ISO 27001 Annex A 7.9 Security of Assets Off-Premises Audit Checklist

1. Off-Premises Asset Usage Policy Verified

2. Asset Authorisation and Removal Logs Confirmed

3. Full Disk Encryption (FDE) Enforcement Validated