In the beginner’s guide to ISO 27001 Return of Assets you will learn
- what return of assets is
- how to implement it
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
Table of contents
What is Return of Assets?
Return of assets is the policy and process of returning an asset back to the organisation when it is not longer required by the entity that it has been allocated to.
It is also part of the asset management process.
As a result you are going to have your asset management policy, the statements of what you do, and you’re going to have your asset management process that sets out how you do it.
Obviously when we give assets to people whether they are external people or internal people we’ve got to get them back. Right? We want those assets back.
If we don’t get these assets back it’s going to represent a massive information security risk to us.
If we’ve got assets that are out there in the wild that haven’t been returned, that potentially have company data, client data, customer data on, then you can see and you can foresee the problems and issues that we’re going to have.
So, we’re going to get those assets back.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Why is it important?
The reasons return of assets is important is the information security risk that assets can pose.
We do not want
- assets out in the wild
- assets leaving the organisation when people leave the organisation
- to be putting at risk our customers
- to be putting at risk our employees
- to put their data at risk.
We don’t want to put at risk our intellectual property and our IP especially if you’ve got developers that are leaving the organisation or people that have been working on its implementations.
This is a really important one for making sure that you maintain your confidentiality, integrity and availability of data.
Just be sure that you have your process, that it’s fully documented and you can evidence it and you are going to be absolutely golden.
Key Principles
- Implement an Asset Inventory
As part of the asset management process you are going to have an asset inventory. There are videos on my Youtube and specific blogs that cover the create of the asset inventory.
This is specific to the return of those assets but if we have an asset inventory and on that asset inventory we have allocated assets to individuals then we know who those individuals are and we know what they’ve got.
The requirement is
- that asset management process that maintains the asset register and
- that assets in the asset register are allocated to individuals so that we know where those assets are.
The next step in the process is the end of the engagement with individuals and what happens next.
- Write the Return of Assets Process: Internal Resources
Usually this is going to require an integration with HR and our HR processes.
The focus for us here is that when people leave the organisation that we are making sure that we get those assets back.
So, integrating our asset register, our asset management process with our HR leaver process is going to allow us, and make sure that, we can get those assets back.
- Write the Return of Assets Process: Third Party Suppliers
It can be a little bit more complicated when we allocate assets to third parties and what we’re going to use there is our third party supplier management process and as part of our third party supplier onboarding and off boarding.
Specifically here off boarding.
Again we’re going to make sure that the assets have been allocated to an individual and when that third party is off boarded that we get that asset back.
There are going to be considerations that you have in here in the process. We will cover those.
Things that I’ve seen on clients is, physically in our process, how do we physically get that asset back?
- Write the Return of Assets Process
What is our process for the return of that asset?
Are we having an exit interview?
Are we having a one to one meeting where that asset is returned to us?
Or, are we in a situation where people are remote and they’re going to be returning those assets to us from remote locations?
One of the top tips that I can give you here is – if we have a situation where assets are remote and they’re going to be sent back to us then, yes we’ve got other controls about how we handle information and how we handle it based on classification, but specifically here we’re going to be looking at couriering and using trusted third party courier services to get that asset back to us. My top tip here is, we’re technically feasible, to instigate a process of remote wipe prior to transport.
What we’re trying to do is we’re trying to mitigate our risk. If feasible, practical and applicable what we want to instigate is a remote wipe of the device before the device is returned to us. Before it reaches the courier.
There are many issues that people have had with couriers.
Yes, they are supposed to be guaranteed.
Yes, they’re supposed to come with all of these insurances but for belts and braces my top tip is within your return process, where possible, get that device remotely wiped before it enters any kind of courier network or any network that comes back to you.
ISO 27001 requirement for Return of Assets
I appreciate that there are going to be situations where that isn’t possible and what you’re going to have is the other ISO 27001 controls that are going to be supporting you.
- ISO 27001 Annex A Control 5.9 Inventory of information and other associated assets
- ISO 27001 Annex A Control 5.10 Acceptable use of information and other associated assets
- ISO 27001 Annex A Control 5.11 Return of assets
- ISO 27001 Annex A Control 5.12 Classification of information
You’re going to have encryption of that endpoint device (ISO 27001 Annex A Control 8.1 User Endpoint Devices), ideally you’re going to have two factor authentication.
In addition you are going to have access and user management ( ISO 27001 Annex A Control 5.15 Access control and ISO 27001 Annex A Control 5.16 Identity management ). As part of your leaver process, which we come into other controls, you will be restricting and removing access to data on that device.
How to implement Return of Assets
For a detailed guide on how to implement Return of Assets, read the implementation guideISO 27001 Annex A Control 5.11 Return of assets