ISO 27001:2022 Annex A 7.9 Checklist Guide •

ISO 27001:2022 Annex A 7.9 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Using a checklist for A.7.9 Security of Assets Off-Premises streamlines compliance efforts by providing a structured approach to managing risks and safeguarding information assets outside the office environment. It ensures comprehensive oversight and adherence to security standards, enhancing overall organisational resilience and data protection.

Jump to topic

ISO 27001 A.7.9 Security of Assets Off-Premises Checklist

A.7.9 Security of Assets Off-Premises within ISO/IEC 27001:2022 is essential for ensuring that information and other associated assets remain secure when taken or used outside the organisation’s physical premises.

Protecting these assets is crucial to prevent unauthorised access, loss, or theft. This control includes laptops, mobile devices, storage media, and even paper documents that employees may take off-site for business purposes.

Implementing this control involves addressing common challenges and leveraging specific features and tools to mitigate risks.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.7.9? Key Aspects and Common Challenges

1. Asset Identification and Classification

Common Challenges:

  • Ensuring all off-premises assets are identified and accurately classified.
  • Maintaining an up-to-date inventory with the frequent movement of assets.

Solutions:

  • Implement automated asset tracking systems to ensure accurate and real-time updates.
  • Use robust classification schemes to categorise assets by sensitivity and criticality.

Related ISO 27001 Clauses:

  • Clause 8.1 Operational Planning and Control: Implementing and maintaining processes to manage identified risks.
  • Clause 7.5 Documented Information: Ensuring proper documentation and control of asset information.

2. Access Control

Common Challenges:

  • Implementing robust access control measures that are user-friendly.
  • Ensuring strong encryption and authentication methods are consistently applied.

Solutions:

  • Use multi-factor authentication (MFA) and regular audits to ensure compliance.
  • Deploy encryption technologies to protect data on off-premises assets.

Related ISO 27001 Clauses:

  • Clause 9.1 Monitoring, Measurement, Analysis, and Evaluation: Regularly auditing access controls.
  • Clause 8.2 Risk Assessment: Evaluating the risks associated with off-premises assets and applying appropriate controls.

3. Physical Protection

Common Challenges:

  • Ensuring employees adhere to physical security guidelines outside the office.
  • Preventing loss or theft in public or unsecured locations.

Solutions:

  • Provide employees with secure carrying cases and enforce a clear policy on asset handling.
  • Conduct regular training sessions on physical security best practices.

Related ISO 27001 Clauses:

  • Clause 7.2 Competence: Ensuring employees have the necessary skills and knowledge.
  • Clause 8.3 Risk Treatment: Applying measures to protect physical assets.

4. Usage Policies

Common Challenges:

  • Developing comprehensive policies that cover all potential off-premises scenarios.
  • Ensuring employees are aware of and understand these policies.

Solutions:

  • Regularly review and update policies, and conduct mandatory training sessions.
  • Use acknowledgment tracking to confirm that employees have read and understood the policies.

Related ISO 27001 Clauses:

  • Clause 7.3 Awareness: Making employees aware of information security policies.
  • Clause 5.2 Policy: Establishing information security policies aligned with organisational goals.

5. Communication Security

Common Challenges:

  • Securing communication channels for remote access.
  • Ensuring compliance with organisational security policies during remote access.

Solutions:

  • Implement VPNs and secure communication tools, and regularly monitor remote access activities.
  • Use encryption to protect data in transit.

Related ISO 27001 Clauses:

  • Clause 7.4 Communication: Ensuring secure communication channels.
  • Clause 8.2 Risk Assessment: Assessing and managing communication risks.

6. Incident Reporting

Common Challenges:

  • Encouraging timely reporting of lost, stolen, or compromised assets.
  • Effectively investigating and responding to incidents.

Solutions:

  • Simplify the reporting process and ensure there are clear, immediate response procedures.
  • Establish a dedicated incident response team and conduct regular incident response drills.

Related ISO 27001 Clauses:

  • Clause 10.1 Continual Improvement: Using incidents to improve security measures.
  • Clause 9.2 Internal Audit: Regularly auditing the incident management process.

7. Training and Awareness

Common Challenges:

  • Maintaining a high level of security awareness among employees.
  • Ensuring training is engaging and effective.

Solutions:

  • Conduct regular, interactive training sessions and provide ongoing awareness campaigns.
  • Use assessments to measure employee understanding and retention of security practices.

Related ISO 27001 Clauses:

  • Clause 7.2 Competence: Providing necessary training and education.
  • Clause 7.3 Awareness: Ensuring ongoing awareness of information security.

8. Monitoring and Review

Common Challenges:

  • Regularly monitoring off-premises assets without infringing on privacy.
  • Updating controls based on evolving threats and feedback.

Solutions:

  • Use non-intrusive monitoring tools and establish a regular review schedule.
  • Conduct periodic risk assessments to identify new threats and vulnerabilities.

Related ISO 27001 Clauses:

  • Clause 9.3 Management Review: Reviewing the effectiveness of the ISMS.
  • Clause 9.1 Monitoring, Measurement, Analysis, and Evaluation: Regularly assessing the effectiveness of controls.

By addressing these challenges and implementing robust controls, organisations can mitigate the risks associated with taking assets off-premises, ensuring that sensitive information remains secure even outside the controlled environment of the workplace.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.7.9

  • Asset Management:

    • Asset Registry: Maintains a comprehensive inventory of all assets, including those taken off-premises, to ensure accurate tracking and status updates.
    • Labelling System: Helps classify and label assets for easy identification and management.
  • Policy Management:

    • Policy Templates: Provides pre-built templates for creating and enforcing policies related to the acceptable use of off-premises assets.
    • Policy Communication: Ensures that all relevant policies are effectively communicated to employees, with acknowledgment tracking to confirm understanding and compliance.
  • Incident Management:

    • Incident Tracker: Facilitates the reporting, tracking, and resolution of incidents involving off-premises assets.
    • Workflow and Notifications: Manages incident response processes and ensures timely notifications to relevant stakeholders.
  • Training Management:

    • Training Modules: Offers training programmes specifically focused on the security of assets off-premises, including best practices and incident response.
    • Training Tracking: Monitors employee participation in training sessions and tracks their understanding and compliance.
  • Communication:

    • Alert System: Sends alerts and reminders about the security protocols for off-premises assets.
    • Notification System: Provides timely updates and notifications regarding any changes in policies or procedures related to off-premises asset security.
  • Risk Management:

    • Dynamic Risk Map: Visualises risks associated with off-premises assets and helps in identifying and mitigating these risks.
    • Risk Monitoring: Continuously monitors risks and ensures that the implemented controls remain effective.
  • Compliance Management:

    • Regs Database: Maintains a database of regulatory requirements and ensures that off-premises asset management practices are compliant.
    • Compliance Tracking: Monitors compliance with relevant standards and regulations, providing a clear audit trail.

By utilising these ISMS.online features, organisations can effectively demonstrate compliance with A.7.9 Security of Assets Off-Premises, ensuring robust security measures and maintaining the integrity of their information assets even when they are outside the physical office environment.

Detailed Annex A.7.9 Compliance Checklist

Asset Identification and Classification

  • Create and maintain a comprehensive inventory of all assets allowed off-premises.
  • Classify assets based on sensitivity and criticality.
  • Regularly update the asset inventory to reflect current status and location.
  • Implement automated tracking systems to monitor asset movements in real-time.

Access Control

  • Implement multi-factor authentication (MFA) for accessing off-premises assets.
  • Ensure all data on off-premises assets is encrypted.
  • Conduct regular access control audits to ensure compliance.
  • Review and update access control policies periodically.

Physical Protection

  • Provide employees with secure carrying cases for off-premises assets.
  • Enforce a policy for the physical security of assets, including guidelines for secure storage.
  • Educate employees on avoiding leaving assets unattended in public places.
  • Monitor compliance with physical protection policies through regular checks.

Usage Policies

  • Develop detailed policies for the acceptable use of off-premises assets.
  • Communicate usage policies to all employees and obtain acknowledgment of understanding.
  • Regularly review and update usage policies to address new risks and scenarios.
  • Include specific guidelines for different types of off-premises scenarios.

Communication Security

  • Use VPNs to secure remote access to organisational resources.
  • Ensure compliance with security policies during remote access.
  • Monitor remote access activities to detect and respond to unauthorised access.
  • Implement secure communication tools for data transmission.

Incident Reporting

  • Establish a clear procedure for reporting lost, stolen, or compromised assets.
  • Ensure that all incidents are promptly reported and investigated.
  • Maintain records of all reported incidents and actions taken.
  • Conduct regular drills and training on incident reporting procedures.

Training and Awareness

  • Conduct regular training sessions on the security of off-premises assets.
  • Include best practices and incident response procedures in training programmes.
  • Monitor and track employee participation and comprehension in training sessions.
  • Provide ongoing awareness campaigns to reinforce key security practices.

Monitoring and Review

  • Regularly monitor the use of off-premises assets to ensure compliance.
  • Use non-intrusive monitoring tools to respect employee privacy.
  • Review and update controls based on evolving threats and feedback.
  • Establish a regular review schedule to evaluate the effectiveness of implemented controls.

By following this compliance checklist, organisations can ensure that they meet the requirements of A.7.9 Security of Assets Off-Premises, maintaining the security and integrity of their assets even when they are outside the physical office environment.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.7.9

Contact ISMS.online today and book a demo to see how our platform can help you secure your off-premises assets and achieve ISO 27001:2022 compliance with ease.

Our expert team is ready to guide you through the powerful tools and features designed to streamline your information security management and keep your data safe.

Take the first step towards unparalleled information security – book your demo now!

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now