ISO 27001 Return of Assets – ISO 27001 Training Video

Home / ISO 27001 Tutorials / ISO 27001 Return of Assets – ISO 27001 Training Video

ISO 27001 Annex A 5.11 Return of Assets – Training Video

In this free ISO 27001 training video we look specifically at ISO 27001 Annex A 5.11 Return of Assets.

Watch the free ISO 27001 training video:

ISO 27001 Return of Assets – Training Video Transcript

How to implement ISO 27001 Annex A 5.11- Return of Assets.

Okay, what we’re looking at here when we do our implementation is part of a wider asset management process.

You are going to have your asset management policy, the statements of what you do and you’re going to have your asset management process that sets out how you do it.

Obviously when we give assets to people, be they external people, be they internal people, whoever it is that we are going to give these assets to – we’ve got to get them back! Right?

So, we want them back.

If we don’t get these assets back it’s going to represent a massive information security risk to us.

If we’ve got assets that are out there in the wild that haven’t been returned that potentially have company data, client data, customer data on, then you can see and you can foresee the problems and issues that we’re going to have.

So, we’re going to get those assets back.


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

The best way of do doing that is by making sure that we have an asset inventory.

Asset Management

As part of our asset management process we’re going to have an asset inventory and you saw in the other clauses and in the other controls how we go about that.

This is specific to the return of those assets but if we have an asset inventory and on that asset inventory we have allocated assets to individuals then we know who those individuals are and we know what they’ve got. Right?

So what we’re looking at here is a combination of things.

We’re looking at having that asset management process.

We’re looking at having that asset register.

We’re looking at making sure that assets are allocated to individuals so that we know where those assets are and then what we’re looking at is the end of the engagement with individuals.

Return of Assets and HR

Usually, especially for internal employees, this is going to require an integration with HR and our HR processes.

What we’re looking at here is when people leave the organisation that we are making sure that we get those assets back.

So, integrating our asset register, our asset management process with our HR leaver process is going to allow us, and make sure that, we can get those assets back.

Return of Assets and Third Party Suppliers

It can be a little bit more complicated when we allocate assets to third parties and what we’re going to use there is our third party supplier management process and as part of our third party supplier onboarding and offboarding.

Specifically here offboarding.

Again we’re going to make sure that the assets have been allocated to an individual and when that third party is off boarded that we get that asset back.

There are going to be considerations that you have in here, okay.

So, what we’re looking at is return of assets.

Things that I’ve seen on clients is physically in our process how do we get that asset back?

Return of Assets Process

What is our process for the return of that asset?

Are we having an exit interview?

Are we having a one to one meeting where that asset is returned to us?

Or, are we in a situation where people are remote and they’re going to be returning those assets to us from remote locations?

One of the top tips that I can give you here is – if we have a situation where assets are remote and they’re going to be sent back to us then yes we’ve got other controls about how we handle information and how we you know, how, how we handle it based on classification and specifically here we’re going to be looking at couriering and using trusted third party courier services to get that asset back to us but my top tip here is, we’re technically feasible, to instigate a process of remote wipe.

What we’re trying to do is we’re trying to mitigate our risk here so if feasible, practical and applicable what we want to instigate is a remote wipe of the device before the device is returned to us. Before it reaches the courier.

There are many issues that people have had with couriers.

Yes, they are supposed to be guaranteed.

Yes, they’re supposed to come with all of these insurances but for belts and braces my top tip is within your return process where possible get that device remotely wiped before it enters any kind of courier network or any network that comes back to you.

Now, I appreciate that there are going to be situations where that isn’t possible and what you’re going to have is the other ISO 27001 controls that are going to be supporting you there right?

You’re going to have encryption of that endpoint device (ISO 27001 Annex A Control 8.1 User Endpoint Devices), ideally you’re going to have two factor authentication.

What you’re going to have is you’re going to have access and user management ( ISO 27001 Annex A Control 5.15 Access control and ISO 27001 Annex A Control 5.16 Identity management ) what you’re going to be doing is as part of your leaver process, which we come into other controls, is restricting and removing access to data on that device.

So you are going to have some elements that you can have within there but remote wiping the device before it enters a courier network or a one to one meeting where that device is physically handed or that asset is physically handed back to you is going to be the way to go.

Stuart - High Table - ISO27001 Ninja - 3

ISO 27001 Templates

When it comes to how you document that clearly there are ISO 27001 templates.

There is an ISO 27001 Toolkit that includes everything for ISO 27001 certification.

It comes as no surprise, I have ISO 27001 templates that can help you with Return of Assets specifically.

The asset management policy, the asset management register, the physical asset register, all of the things that you need to support this process I have and also if you go on to my YouTube channel I do give you in how to write and how to create tutorials so that you can do that yourself.

No problem with that at all.

ISO 27001 Asset Management Policy Template
ISO 27001 Physical Asset Register Template

Certifying for Return of Assets

So, you’ve implemented your asset management policy, you’ve defined and implemented your asset management process, you’ve got your end to end life cycle, you’ve got your return of assets in there.

How are you going to certify against this?

When the auditor comes out they’re going to check that documentation, right?

ISO 27001 as we go through many times is documentation heavy.

So, you’re going to make sure that you’ve got your documentation in place and that you can evidence that those processes have been operating effectively.

What is an auditor going to check?

The auditor is going to check return of assets over the last period of time.

They, they’re going to take a sampling approach.

So that what they’re going to say is – have you had a situation say within the last 3 months, 6 months or 12 months where assets have been returned to you?

Then they’re going to say – walk me through the process.

Walk me through what you did and show me evidence that you followed the process that you have documented.

The auditor is going to check that you have an up-to-date asset register.

They’re going to make sure that that asset register is fully up to date and populated with assets that they would expect to see in it and they’re going to look to make sure that those assets have been allocated to individuals.

What they’re also going to be looking at is, if you use third parties, that you have contracts in place that cover those assets.

So, if you have a third party supplier and you are allocating an asset to them, yes they’re in the asset register, yes you followed the process but they’re also going to be checking the contract is in place between you that cover basics around information security and what happens to that asset and how you handle it.

So, there are three things you know usually that they’re going to cover and that they’re going to look through.

So, it’s going to be a walkthrough of process, do a review of documentation and evidence that you have followed it.

Mistakes people make

One of the top three mistakes that we see here – the asset register is not up to date.

We see this a lot.

Asset registers are difficult to maintain and their bureaucracy and an overhead and we often see the case that either the asset register hasn’t been updated, assets are allocated to people that have ideally, potentially not ideally! Potentially, left the organisation.

So, that’s going to be easy right?

They’re going to be auditing through, looking at the HR, looking at the leaver process.

If they then start to see people that are in the asset register that you’ve just told them have left the organisation that’s going to be an own goal.

So, make sure that that asset register is up to date before the certification and ideally ongoing as part of a managed process.

They’re going to be looking at whether or not if you got to the return of assets and it was a destruction step I.E the asset was returned to you and the process then was to destroy it, then they’re going to be looking at things like destruction certificates and the other controls around how you securely destroy information but we often see that that isn’t the case what we see is that assets are returned to manager’s home addresses, they’re returned to offices and left in open cupboards, you know, the usual.

I’ve even seen them in kitchens, I’ve seen assets yeah just lying around the place.

You want to make sure that those assets if they are going to be destroyed are destroyed.

If not that they’re secured, that they’re contained and kept in a secure location in line with your policy and process.

The third mistake we go through all of the time is that your documentation, version control isn’t up to date and it doesn’t match, there’s no classification, document owners aren’t on there so yeah I bang on about that all the time.

So, why is it important?

We’ve covered that at the beginning, the reason for it being important is we do not want assets out in the wild, we do not want assets leaving the organisation when people leave the organisation, we don’t want to be putting at risk our customers, our our employees, we don’t want to put their data at risk. We don’t want to put at risk our intellectual property and our IP especially if you’ve got developers that are leaving the
organisation or people that have been working on its implementations.

So, this is a really important one for making sure that you maintain your confidentiality, integrity and availability of data.

It isn’t particularly hard.

There isn’t really a lot to go through.

It is part of standard Asset Management.

Just be sure that you have your process, that it’s fully documented and you can evidence it and you are going to be absolutely golden.

So that was ISO 27001 Annex A Control 5.11 Return of assets.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing