Introduction
In this tutorial we will cover ISO 27001 Return of Assets.
You will learn what ISO 27001 return of assets is and how to implement it.
Table of contents
ISO 27001 Return of Assets
What we’re looking at here, when we do our implementation, is part of a wider asset management process.
You are going to have your asset management policy, the statements of what you do and you’re going to have your asset management process that sets out how you do it.
Obviously when we give assets to people whether they are external people or internal people we’ve got to get them back. Right? We want those assets back.
If we don’t get these assets back it’s going to represent a massive information security risk to us.
If we’ve got assets that are out there in the wild that haven’t been returned, that potentially have company data, client data, customer data on, then you can see and you can foresee the problems and issues that we’re going to have.
So, we’re going to get those assets back.
Why is it important?
The reasons return of assets is important is the information security risk that assets can pose.
We do not want
- assets out in the wild
- assets leaving the organisation when people leave the organisation
- to be putting at risk our customers
- to be putting at risk our employees
- to put their data at risk.
We don’t want to put at risk our intellectual property and our IP especially if you’ve got developers that are leaving the organisation or people that have been working on its implementations.
This is a really important one for making sure that you maintain your confidentiality, integrity and availability of data.
Just be sure that you have your process, that it’s fully documented and you can evidence it and you are going to be absolutely golden.
Implementation Guide
Asset Inventory
As part of our asset management process we’re going to have an asset inventory. There are videos on my Youtube and specific blogs that cover the create of the asset inventory.
This is specific to the return of those assets but if we have an asset inventory and on that asset inventory we have allocated assets to individuals then we know who those individuals are and we know what they’ve got.
So what we’re looking at here is a combination of things.
We’re looking at having that asset management process that maintains the asset register and that assets in the asset register are allocated to individuals so that we know where those assets are.
The next step in the process is the end of the engagement with individuals and what happens next.
Return of Assets: Internal Resources
Usually this is going to require an integration with HR and our HR processes.
The focus for us here is that when people leave the organisation that we are making sure that we get those assets back.
So, integrating our asset register, our asset management process with our HR leaver process is going to allow us, and make sure that, we can get those assets back.
Return of Assets and Third Party Suppliers
It can be a little bit more complicated when we allocate assets to third parties and what we’re going to use there is our third party supplier management process and as part of our third party supplier onboarding and off boarding.
Specifically here off boarding.
Again we’re going to make sure that the assets have been allocated to an individual and when that third party is off boarded that we get that asset back.
There are going to be considerations that you have in here in the process. We will cover those.
Things that I’ve seen on clients is, physically in our process, how do we physically get that asset back?
Return of Assets Process
What is our process for the return of that asset?
Are we having an exit interview?
Are we having a one to one meeting where that asset is returned to us?
Or, are we in a situation where people are remote and they’re going to be returning those assets to us from remote locations?
One of the top tips that I can give you here is – if we have a situation where assets are remote and they’re going to be sent back to us then, yes we’ve got other controls about how we handle information and how we handle it based on classification, but specifically here we’re going to be looking at couriering and using trusted third party courier services to get that asset back to us. My top tip here is, we’re technically feasible, to instigate a process of remote wipe prior to transport.
What we’re trying to do is we’re trying to mitigate our risk. If feasible, practical and applicable what we want to instigate is a remote wipe of the device before the device is returned to us. Before it reaches the courier.
There are many issues that people have had with couriers.
Yes, they are supposed to be guaranteed.
Yes, they’re supposed to come with all of these insurances but for belts and braces my top tip is within your return process, where possible, get that device remotely wiped before it enters any kind of courier network or any network that comes back to you.
Supporting Controls
I appreciate that there are going to be situations where that isn’t possible and what you’re going to have is the other ISO 27001 controls that are going to be supporting you.
- ISO 27001 Annex A Control 5.9 Inventory of information and other associated assets
- ISO 27001 Annex A Control 5.10 Acceptable use of information and other associated assets
- ISO 27001 Annex A Control 5.11 Return of assets
- ISO 27001 Annex A Control 5.12 Classification of information
You’re going to have encryption of that endpoint device (ISO 27001 Annex A Control 8.1 User Endpoint Devices), ideally you’re going to have two factor authentication.
In addition you are going to have access and user management ( ISO 27001 Annex A Control 5.15 Access control and ISO 27001 Annex A Control 5.16 Identity management ). As part of your leaver process, which we come into other controls, you will be restricting and removing access to data on that device.
ISO 27001 Templates
When it comes to how you document return of asset, there are ISO 27001 templates.
There is an ISO 27001 Toolkit that includes everything for ISO 27001 certification.
Also there are ISO 27001 templates that can help you with Return of Assets specifically.
The asset management policy, the asset management register, the physical asset register, all of the things that you need to support this process.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
ISO 27001 Return of Assets – Training Video
In this free ISO 27001 training video we look specifically at implementing ISO 27001 Return of Assets.