In this guide, I will show you exactly how to implement ISO 27001 Return of Assets Beginner’s Guide and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Table of contents
What is Return of Assets?
Return of assets is the policy and process of returning an asset back to the organisation when it is not longer required by the entity that it has been allocated to.
It is also part of the asset management process.
As a result you are going to have your asset management policy, the statements of what you do, and you’re going to have your asset management process that sets out how you do it.
Obviously when we give assets to people whether they are external people or internal people we’ve got to get them back. Right? We want those assets back.
If we don’t get these assets back it’s going to represent a massive information security risk to us.
If we’ve got assets that are out there in the wild that haven’t been returned, that potentially have company data, client data, customer data on, then you can see and you can foresee the problems and issues that we’re going to have.
So, we’re going to get those assets back.
Why is it important?
The reasons return of assets is important is the information security risk that assets can pose.
We do not want
- assets out in the wild
- assets leaving the organisation when people leave the organisation
- to be putting at risk our customers
- to be putting at risk our employees
- to put their data at risk.
We don’t want to put at risk our intellectual property and our IP especially if you’ve got developers that are leaving the organisation or people that have been working on its implementations.
This is a really important one for making sure that you maintain your confidentiality, integrity and availability of data.
Just be sure that you have your process, that it’s fully documented and you can evidence it and you are going to be absolutely golden.
ISO 27001 Return of Assets Guidance
The following guidance will apply to the return of assets.
- Implement an Asset Inventory: Maintain a comprehensive asset register where every device is allocated to a specific individual, ensuring the organisation maintains visibility over asset location and ownership.
- Write the Return of Assets Process for Internal Resources: Integrate the asset management system with HR leaver processes to ensure that all allocated hardware and data are recovered immediately when an employee leaves the organisation.
- Write the Return of Assets Process for Third-Party Suppliers: Utilise the third-party supplier off-boarding process to recover assets allocated to external vendors or contractors upon the termination of their contracts.
- Define the Logistics of Return: Establish clear protocols for the physical return of assets, determining whether they should be handed over during exit interviews or returned via secure transport.
- Experts Tip – Remote Wiping: When managing returns from remote workers using couriers, mitigate data security risks by performing a remote wipe of the device prior to transport.
ISO 27001 requirement for Return of Assets
I appreciate that there are going to be situations where that isn’t possible and what you’re going to have is the other ISO 27001 controls that are going to be supporting you.
- ISO 27001 Annex A Control 5.9 Inventory of information and other associated assets
- ISO 27001 Annex A Control 5.10 Acceptable use of information and other associated assets
- ISO 27001 Annex A Control 5.11 Return of assets
- ISO 27001 Annex A Control 5.12 Classification of information
You’re going to have encryption of that endpoint device (ISO 27001 Annex A Control 8.1 User Endpoint Devices), ideally you’re going to have two factor authentication.
In addition you are going to have access and user management ( ISO 27001 Annex A Control 5.15 Access control and ISO 27001 Annex A Control 5.16 Identity management ). As part of your leaver process, which we come into other controls, you will be restricting and removing access to data on that device.
How to implement Return of Assets
Implementing a robust Return of Assets control (Annex A 5.11) requires more than a simple request for equipment. You must integrate your asset management policy with Human Resources workflows to ensure a secure, auditable chain of custody from the moment an employee resigns or changes roles. Follow these steps to establish a compliant process.
Step 1: Formalise the Asset Inventory and Ownership
You cannot return what you do not track. The foundation of this control is a granular Asset Register that links every hardware and software asset to a specific individual (the asset owner) rather than a generic department.
- Audit your register: Ensure every laptop, mobile device, and security token is assigned to a unique User ID or employee name.
- Define the scope: Update your Acceptable Use Policy (AUP) to explicitly list “returnable assets,” including intellectual property, physical keys, and authentication hardware (e.g., RSA tokens).
- Set expectations: Require employees to sign an asset receipt log upon induction, acknowledging their obligation to return items upon contract termination.
Step 2: Integrate Trigger Points with HR Processes
Security failures often occur because IT is notified too late. You must establish a synchronous workflow between HR and IT/Security to trigger the asset recovery process immediately upon resignation or termination notice.
- Create a ‘Leaver Notification’ workflow: Automate an alert from your HR system to the IT Service Desk the moment a termination date is set.
- Schedule the drop-off: For on-site staff, schedule a physical handover meeting on their final day.
- Prepare logistics for remote staff: Immediately dispatch a pre-paid, tracked courier box to remote employees to facilitate the secure return of hardware.
Step 3: Enforce Digital Security via Remote Wipe
Physical possession is secondary to data security. Before any device enters the postal network or leaves the user’s control, you must neutralise the data risk.
- Execute MDM commands: Use your Mobile Device Management (MDM) software to remotely wipe corporate data from smartphones and laptops while they are still connected to the internet.
- Revoke logical access: Disable Active Directory (AD) accounts, VPN access, and cloud application (SaaS) sessions at the exact time of contract termination.
- Change shared secrets: If the leaver had access to shared administrative passwords (e.g., root access or safe combinations), rotate these credentials immediately.
Step 4: Execute the Physical Handover and Inspection
When the physical assets are returned, they must be inspected for damage and completeness before being accepted back into stock.
- Verify serial numbers: Cross-reference the serial numbers of returned devices against your Asset Register to prevent “hardware swapping” (where users return inferior personal equipment).
- Inspect for tampering: Check for missing screws, broken seals, or unauthorised hardware modifications.
- Quarantine the device: Place returned assets in a secure quarantine area until they can be fully reimaged and sanitised according to your Secure Disposal or Re-use Policy.
Step 5: Generate Audit Evidence (The Leaver’s Checklist)
ISO 27001 auditors require proof that the process was completed. You must generate a record that confirms the transfer of liability.
- Sign the Offboarding Form: Have the employee and the IT receiver sign a “Return of Assets” form (or digital ticket) listing all returned items.
- Update the Asset Register: Change the status of the assets from “Allocated” to “In Stock,” “Quarantine,” or “Disposed.”
- Archive the evidence: Store the signed form and the updated inventory log in your ISMS evidence folder for the next surveillance audit.
Step 6: Handle Non-Compliance and Exceptions
Define a clear escalation path for instances where assets are not returned or are returned damaged.
- Log the incident: Record unreturned items as a security incident in your ISMS.
- Legal escalation: If the employment contract permits, withhold final salary payments or stock options equivalent to the asset’s value.
- Remote bricking: Permanently lock unreturned devices to render them useless to the former employee.
For a detailed guide on how to implement Return of Assets, read the implementation guideISO 27001 Annex A Control 5.11 Return of assets
Applicability of ISO 27001 Return of Assets across different business models.
| Business Type | Applicability | Practical Examples & Control Implementation |
|---|---|---|
| Small Businesses | For smaller entities, the focus is often on high-value physical hardware (laptops, phones) and ensuring no “informal” retention of assets occurs post-employment. The process must be simple but documented to satisfy auditors. |
|
| Tech Startups | With high remote work adoption and expensive hardware (e.g., MacBooks), startups face the challenge of recovering assets from distributed teams. The “Return of Assets” process must integrate tightly with MDM (Mobile Device Management). |
|
| AI Companies | Beyond hardware, AI companies must consider “Data Assets.” Developers often have local copies of training datasets or proprietary models. Ensuring these are wiped or returned is critical to IP protection. |
|
ISO 27001 Return of Assets FAQ
Frequently Asked Questions About ISO 27001 Return of Assets
What is ISO 27001 Annex A 5.11 Return of Assets?
ISO 27001 Annex A 5.11 is a preventive security control that mandates the return of all organizational assets upon the termination or change of employment.
This control ensures that an organization recovers both physical and information assets to prevent unauthorized access after a relationship ends. It applies to:
- Employees: Full-time, part-time, and temporary staff.
- Contractors & Third Parties: External suppliers or consultants holding company equipment or data.
- Internal Movers: Staff changing roles who no longer require access to specific assets (e.g., a Finance laptop when moving to Marketing).
What specific assets must be returned to comply with Annex A 5.11?
Organizations must recover all items listed in their asset inventory, spanning physical hardware, digital access tokens, and intellectual property.
A compliant offboarding checklist must verify the return of:
- Endpoint Devices: Laptops, smartphones, tablets, and portable hard drives.
- Access Hardware: Physical keys, security badges, swipe cards, and RSA/YubiKey tokens.
- Information Assets: Hard copy documents, blueprints, and locally stored digital files.
- Intangible Assets: Administrative passwords, software licenses, and cloud credentials known by the user.
How should organizations handle asset returns for remote employees?
Remote returns require a documented logistics process that prioritizes data security over the speed of physical hardware recovery.
To mitigate risk when staff cannot return items in person:
- Remote Wipe: Instigate a remote wipe of the device before it is handed to a courier to prevent data theft during transit.
- Pre-paid Logistics: Send a specialized box with pre-paid return labels and protective packaging to the employee’s address.
- Tracking & Insurance: Use courier services that offer end-to-end tracking and insurance for high-value items.
- Legal Agreements: Ensure employment contracts explicitly state that final salary payments can be withheld pending asset return (subject to local laws).
What evidence do ISO 27001 auditors require for Return of Assets?
Auditors look for tangible evidence that the offboarding process was executed and the asset register was updated to reflect the return.
To pass an audit for Control 5.11, you must demonstrate:
- Asset Register Updates: Evidence that the specific asset status changed from “Allocated” to “In Stock,” “Quarantine,” or “Disposed.”
- Sign-off Records: A digital or physical signature (Leaver’s Checklist) confirming the employee handed over the items.
- Gap Handling: If an asset wasn’t returned, evidence of the actions taken (e.g., legal letters, police reports, or remote bricking of the device).
Does “Return of Assets” apply to internal role changes (Movers)?
Yes, ISO 27001 explicitly requires asset returns during a “change of employment” within the same organization.
This aspect is often overlooked but is vital for maintaining the Principle of Least Privilege:
- Hardware Swaps: A user moving from Engineering to Sales may need to return a high-performance workstation.
- Physical Access: Keys to server rooms or sensitive filing cabinets must be returned if the new role does not require them.
- Data Segregation: Prevents employees from carrying sensitive departmental data (e.g., HR salary spreadsheets) into a new department.
What happens if an employee refuses to return assets?
Refusal to return assets is a security incident and should be treated with formal legal and technical responses.
If the standard process fails:
- Log the Incident: Record the non-return as a security incident in your ISMS log.
- Technical Lockout: Immediately disable all accounts and remotely wipe/brick the device.
- Legal Action: Issue a formal demand letter and, if contractually permitted, withhold the value of the asset from final settlements.
