ISO 27001 Return of Assets | Beginner’s Guide

Home / ISO 27001 Tutorials / ISO 27001 Return of Assets | Beginner’s Guide

In the beginner’s guide to ISO 27001 Return of Assets you will learn 

  • what return of assets is
  • how to implement it

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

What is Return of Assets?

Return of assets is the policy and process of returning an asset back to the organisation when it is not longer required by the entity that it has been allocated to.

It is also part of the asset management process.

As a result you are going to have your asset management policy, the statements of what you do, and you’re going to have your asset management process that sets out how you do it.

Obviously when we give assets to people whether they are external people or internal people we’ve got to get them back. Right? We want those assets back.

If we don’t get these assets back it’s going to represent a massive information security risk to us.

If we’ve got assets that are out there in the wild that haven’t been returned, that potentially have company data, client data, customer data on, then you can see and you can foresee the problems and issues that we’re going to have.

So, we’re going to get those assets back.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

Why is it important?

The reasons return of assets is important is the information security risk that assets can pose.

We do not want

  • assets out in the wild
  • assets leaving the organisation when people leave the organisation
  • to be putting at risk our customers
  • to be putting at risk our employees
  • to put their data at risk.

We don’t want to put at risk our intellectual property and our IP especially if you’ve got developers that are leaving the organisation or people that have been working on its implementations.

This is a really important one for making sure that you maintain your confidentiality, integrity and availability of data.

Just be sure that you have your process, that it’s fully documented and you can evidence it and you are going to be absolutely golden.

Key Principles

  • Implement an Asset Inventory

As part of the asset management process you are going to have an asset inventory. There are videos on my Youtube and specific blogs that cover the create of the asset inventory.

This is specific to the return of those assets but if we have an asset inventory and on that asset inventory we have allocated assets to individuals then we know who those individuals are and we know what they’ve got.

The requirement is

  • that asset management process that maintains the asset register and
  • that assets in the asset register are allocated to individuals so that we know where those assets are.

The next step in the process is the end of the engagement with individuals and what happens next.

  • Write the Return of Assets Process: Internal Resources

Usually this is going to require an integration with HR and our HR processes.

The focus for us here is that when people leave the organisation that we are making sure that we get those assets back.

So, integrating our asset register, our asset management process with our HR leaver process is going to allow us, and make sure that, we can get those assets back.

  • Write the Return of Assets Process: Third Party Suppliers

It can be a little bit more complicated when we allocate assets to third parties and what we’re going to use there is our third party supplier management process and as part of our third party supplier onboarding and off boarding.

Specifically here off boarding.

Again we’re going to make sure that the assets have been allocated to an individual and when that third party is off boarded that we get that asset back.

There are going to be considerations that you have in here in the process. We will cover those.

Things that I’ve seen on clients is, physically in our process, how do we physically get that asset back?

  • Write the Return of Assets Process

What is our process for the return of that asset?

Are we having an exit interview?

Are we having a one to one meeting where that asset is returned to us?

Or, are we in a situation where people are remote and they’re going to be returning those assets to us from remote locations?

One of the top tips that I can give you here is – if we have a situation where assets are remote and they’re going to be sent back to us then, yes we’ve got other controls about how we handle information and how we handle it based on classification, but specifically here we’re going to be looking at couriering and using trusted third party courier services to get that asset back to us. My top tip here is, we’re technically feasible, to instigate a process of remote wipe prior to transport.

What we’re trying to do is we’re trying to mitigate our risk. If feasible, practical and applicable what we want to instigate is a remote wipe of the device before the device is returned to us. Before it reaches the courier.

There are many issues that people have had with couriers.

Yes, they are supposed to be guaranteed.

Yes, they’re supposed to come with all of these insurances but for belts and braces my top tip is within your return process, where possible, get that device remotely wiped before it enters any kind of courier network or any network that comes back to you.

ISO 27001 requirement for Return of Assets

I appreciate that there are going to be situations where that isn’t possible and what you’re going to have is the other ISO 27001 controls that are going to be supporting you.

You’re going to have encryption of that endpoint device (ISO 27001 Annex A Control 8.1 User Endpoint Devices), ideally you’re going to have two factor authentication.

In addition you are going to have access and user management ( ISO 27001 Annex A Control 5.15 Access control and ISO 27001 Annex A Control 5.16 Identity management ). As part of your leaver process, which we come into other controls, you will be restricting and removing access to data on that device.

How to implement Return of Assets

For a detailed guide on how to implement Return of Assets, read the implementation guideISO 27001 Annex A Control 5.11 Return of assets

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing