ISO 27001:2022 Annex A Control 5.11

Return of Assets

Book a demo

business,meeting,in,a,modern,office

ISO 27001:2022 Control 5.11 of Annex A stipulates that personnel and other interested parties must return all assets owned by the organisation upon change of employment, contract or agreement.

Upon termination of employment, contract or agreement, employees and external party users are expected to return all information and organisational assets.

Employees, contractors, and others must be obligated to replace all assets. This obligation would be included in the relevant agreements with staff, contractors, and others.

A solid, documented process should manage the return of assets. This process can be documented for each individual or supplier who passes through it. Annex A.6.5 for human resource security, Annex 6.6 for confidentiality agreements, and Annex A.5.20 for supplier activity align this with exit controls.

Organisations must have written policies that define what assets must be returned upon termination and personnel to confirm receipt and ensure inventory and accounting of assets.

What Is The Purpose of Annex A 5.11?

The following are examples of information assets for an organisation:

  • Physical documents.

  • Digital files and databases.

  • Software programs.

  • Even intangible items like trade secrets and intellectual property.

A company’s information assets can be valuable in many ways. This includes containing sensitive information about its customers, employees, or other stakeholders that bad actors can exploit for financial gain or identity theft. In addition to financial, research and operational information, they could provide your competitors with a competitive advantage if they were able to gain access to it.

For this reason, all assets and assets of employees and contractors who terminate their employment with an organisation must be returned.

As part of the exit process, assets need to be returned according to the process unless otherwise agreed upon and documented:

  • Annex A.5 outlines the steps to be taken if the non-return is recorded as a security incident.

  • To ensure continued protection, periodic asset audits are also necessary to ensure the return of assets procedure is foolproof.
Jump to Topic

Change of Employment Status per ISO 27001:2022 Annex a 5.11

As part of changing or terminating employment, contracts, or agreements, control 5.11 protects the organisation’s assets. Unauthorised individuals are prohibited from retaining organisation assets (including equipment, information, software, etc.) under this Annex A control.

You must ensure your employees and contractors don’t take sensitive data by identifying potential threats and monitoring the user’s activity before they leave.

When an individual is terminated, this Annex A control prevents them from accessing IT systems and networks. A formal termination process should be established by organisations so that individuals can no longer access any IT systems. You can achieve this by revoking all permissions, disabling accounts, and removing access to building premises.

It is necessary to establish procedures to ensure that all employees, contractors, and other relevant parties return all assets no longer needed for business purposes. These assets should be replaced as soon as possible.

Also, organisations should check the individual’s work area to ensure that all sensitive information has been returned.

Consider, for instance:

  • The organisation’s equipment (laptops and removable media) is collected upon separation.

  • Upon contract completion, contractors are required to return all equipment and information.

Building an Exit Process and What You Need to Do

An organisation must formalise its change or termination process, which includes returning all previously issued physical and electronic assets owned or entrusted to it.

Any access rights, accounts, digital certificates, and passwords should also be removed as part of the process. This formalisation is especially critical when a change or termination occurs unexpectedly, like death or resignation. Unauthorised access to organisation assets can lead to a data breach if not prevented.

A secure disposal/return process should ensure that all assets are accounted for.

ISO 27001:2022 requires the organisation to identify and document all information and associated assets to be returned, including:

  1. User endpoint devices.

  2. Portable storage devices.

  3. Specialist equipment.

  4. Authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives.

  5. Physical copies of information.

After termination, the user should complete a formal checklist containing all the items that need to be returned or disposed of. This checklist should include any required signatures to confirm that the assets have been properly returned or disposed of.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2013 was updated in October 2022 to ISO 27001:2022.

Annex A Control 5.11 is not new but a modification of Annex A control 8.1.4 – the return of assets.

In the implementation guidelines, Annex A controls are essentially the same, with similar language and phraseology. However, ISO 27001:2022’s Annex A control 5.11 has an attributes table that lets users match it to what they are implementing. Control 5.11 in ISO 27001:2022 specifies which assets can be returned at the end of employment or contract termination.

Examples of these include:

  • User endpoint devices.

  • Portable storage devices.

  • Specialist equipment.

  • Authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives.

  • Physical copies of information.

In the ISO 27001:2013 version, this list is not available.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How Do These Changes Affect You?

ISO 27001:2022 is an update to the 2013 standard. The committee that oversees the standard did not make any significant changes.

How ISMS.online Help

You can implement and manage an ISO 27001/ 27001 Information Security Management System with ISMS.online, regardless of your experience with the standard.

The perfect fusion of knowledge and technology for early ISO 27001 success. ISMS.online includes a policy and tool for asset management.

With our system, you’ll be guided step-by-step through setting up an ISMS and managing it:

  • ISMS.online provides a step-by-step guide to implementing ISO 27001/27002 in any organisation.

  • A risk assessment tool that guides you through the risk identification and assessment process.

  • We offer a policy pack that can be customised to suit your needs online.

  • Managing documents and records as part of your ISMS is easier with a document control system.

  • Better decision-making through automatic reporting.

  • With our cloud-based platform, you’ll be able to document proof of compliance with the ISO 27001 framework with a checklist of your processes.

Get in touch today to book a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now