ISO 27001:2022 Annex A Control 7.9

Security of Assets Off-Premises

Book a demo

img building 1020x680 1

When devices that hold valuable information assets are removed from the organisation’s physical location, they are more susceptible to harm, theft, loss, destruction, or breaches.

Physical security controls within an organisation’s facilities will not be effective, leaving its off-site assets exposed to threats like physical risks and malicious individuals trying to gain unauthorised access.

Employees working remotely may take corporate computers with confidential data away from the business, working in a cafe, hotel lobby, etc, connecting to unsecured public Wi-Fi and leaving their devices unmonitored. These actions present a risk to the security, confidentiality, integrity and availability of the info held on the devices.

Organisations should make sure devices taken outside the premises remain secure.

ISO 27001:2022 Annex A 7.9 outlines how organisations can ensure the security of devices located away from the main site, which host information assets. They must set up suitable controls and procedures to achieve this.

Purpose of ISO 27001:2022 Annex A 7.9

ISO 27001:2022 Annex A 7.9 allows organisations to safeguard the security of information assets housed in hardware by thwarting two distinct risks:

  • Minimising the chance of data assets in off-site devices being lost, harmed, destroyed, or exposed.
  • Avoiding interruption to the company’s data processing operations from the breach of external devices.

Ownership of Annex A 7.9

ISO 27001:2022 Annex A 7.9 necessitates organisations to set up and implement protocols and regulations that cover all devices owned or used on behalf of the company. Additionally, it is vital to the effective protection of off-site devices that an asset inventory is created and upper management approves the use of personal devices.

The Information Security Manager should confer with management and asset owners and be responsible for developing, carrying out and sustaining procedures and measures to ensure the security of devices taken away from corporate premises.

General Guidance on ISO 27001:2022 Annex A 7.9 Compliance

Annex A 7.9 details six necessities that organisations must observe when constructing and applying measures and protocols for the safeguard of assets removed from the premises:

  1. Computers, USBs, hard drives, and monitors taken off-site by the company should never be left unattended in public areas like cafes, nor in any unsecure location.
  2. Comply with the device manufacturer’s instructions and specifications regarding physical protection of the device at all times. For example, adhere to their instructions on shielding the device from water, heat, electromagnetic fields, and dust.
  3. Employees and other organisations taking computing equipment outside corporate premises should maintain a log detailing the chain of custody. This log should include, at a minimum, the names of persons responsible for the device, and their organisation.
  4. If an organisation finds that authorisation is necessary and practical for the removal of equipment from corporate premises, they should establish a procedure. This procedure should cover the taking of certain equipment off-site and keep a record of all removal actions to provide the organisation with an audit trail.
  5. It is essential to take necessary steps to avert the danger of unapproved viewing of data on public transport screens.
  6. The organisation should install location-tracking tools and enable remote access, so the device’s location can be monitored and, if necessary, any data stored on the device can be remotely wiped.

Supplementary Guidance on Annex A 7.9

ISO 27001:2022 Annex A 7.9 sets out requirements for protecting equipment that is installed outside of a company’s premises on a permanent basis.

This equipment could comprise of antennas and ATMs.

Considering the heightened risk of damage and loss of this equipment, Annex A 7.9 necessitates organisations consider the following when safeguarding it off-site:

  • ISO 27001:2022 Annex A 7.4, Physical Security Monitoring, should be taken into account.
  • Ensure ISO 27001:2022 Annex A 7.5 is taken into account, which is the protection against environmental and physical threats.
  • Access controls should be created and suitable steps should be taken to stop interference.
  • Create and apply logical access controls.

Annex A 7.9 advises organisations to bear in mind Annex A 6.7 and Annex A 8.1 when formulating and putting in place measures to safeguard devices and equipment.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 7.9 replaces ISO 27001:2013 Annex A 11.2.6.

There are three major distinctions that should be noted:

ISO 27001:2022 Annex A Control 7.9 requires an extensive set of instructions.

Annex A 7.9 introduces two new requirements in comparison to its ISO 27001:2013 version:

  1. Appropriate steps should be taken to prevent unauthorised people from seeing the information on display in public transport.
  2. Location monitoring and remote access should be enabled to enable tracking of the device and the capability to erase information stored on the device remotely, if necessary.

Annex A 7.9 introduces fresh criteria for devices which are permanently located away from the premises.

In comparison to the ISO 27001:2013 version, ISO 27001:2022 Annex A 7.9 provides distinct advice on safeguarding equipment that is fixed in an off-site location.

These could involve antennas and ATMs.

The prohibition of remote work is put in place to reduce risks.

The ISO 27001:2013 version made clear that organisations could ban employees from remote working if it was consistent with the risk levels that had been identified. By contrast, the ISO 27001:2022 version does not mention this.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online is the perfect tool for managing an ISO 27001:2022 implementation. It is tailored to help businesses implement an information security management system (ISMS) that meets the standards of ISO 27001:2022.

The platform employs a risk-based approach, alongside top-of-the-line best practices and templates, to aid in recognising the risks confronting your organisation and the necessary controls to manage them. By doing so, you can effectively minimise both your risk exposure and compliance costs.

Contact us now to arrange a demonstration.

We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.

Andrew Bud
Founder, iproov

Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.