ISO 27001 Return of Assets (Clause A.5.11)

Introduction

The Return of Assets control under ISO 27001:2022 Clause A.5.11 ensures that all organizational assets are securely returned when employees, contractors, or third parties leave the organization.

Poor offboarding practices are a major source of:

• Data leakage
• Unauthorized access post-termination
• Loss of physical and digital assets

This control ensures a structured, enforceable offboarding process, reducing both security and operational risks.

What This Control Is About (Basic Information)

Comply Agent shows the following control details:

• Title: Return of Assets
• Control ID: UC-AS-011
• Category: Asset Management
• Subcategory: Offboarding
• Version: v1.0

Description

Ensure all organizational assets, including hardware, software licenses, and access credentials, are returned by personnel upon termination of their employment or contract. This involves implementing and enforcing formal asset return procedures as part of the offboarding process.

Objective

To ensure the secure and complete retrieval of all organizational assets from personnel upon their departure, safeguarding against unauthorized access, data breaches, and financial loss.

Implementation & Guidance

Comply Agent shows that this control must be tightly integrated into HR and IT offboarding workflows.

1. Establish Formal Offboarding Procedures

Organizations must:

• Define a standardized offboarding checklist
• Include asset return steps as mandatory controls
• Ensure alignment between HR and IT departments

2. Maintain Asset Inventory and Ownership Records

• Track all assigned assets:
  • Laptops, devices, storage media
  • Software licenses
  • Access credentials
• Link assets to users for accountability

3. Implement Asset Return Verification Process

Comply Agent highlights:

• Mandatory sign-off process:
  • Employee confirmation
  • Company representative verification
• Validate:
  • Physical condition
  • Completeness of returned items

4. Revoke Access and Decommission Assets

Organizations should:

• Disable user accounts immediately upon exit
• Revoke system access and credentials
• Reassign or securely wipe returned devices

5. Perform Reconciliation and Audit Checks

• Conduct pre- and post-offboarding asset verification
• Identify missing or unreturned assets
• Escalate discrepancies

Evidence Examples

Comply Agent shows:

• Signed asset return forms/checklists
• Inventory reconciliation reports before and after offboarding
• Records of access revocation and software license deactivation

Operational Details

Comply Agent shows:

• Frequency: Continuous
• Review Cycle: Continuous
• Owner Role: HR Department, IT Department
• Responsible Role: HR Department, IT Department
• Automation Score: 70%
• Last Updated: As per system records

Interpretation

• High automation (70%) typically includes:
  • HRMS-integrated offboarding workflows
  • Identity and access management automation
  • Asset tracking systems

Compliance & Risk Management

Comply Agent shows:

• Status: Not Started
• Compliance Status: N/A
• Control Type: Administrative
• Maturity Level: Level 4
• Risk Domain: Information Security, Data Protection, Asset Management
• Clause Reference: ISO 27001:2022 Clause A.5.11

Key Risks Addressed

• Retained access by former employees
• Loss or theft of organizational assets
• Data leakage from unreturned devices
• Financial losses due to missing equipment

Framework Mappings

Comply Agent shows strong cross-framework alignment:

1. Primary Mapping

• ISO 27001:2022 – A.5.11 Return of Assets (Exact)

2. Supporting Controls

• SOC 2
  • CC6.5 – Logical and physical access termination
• GDPR
  • Article 32 – Security of processing

3. Extended Mappings

• DORA
  • Article 8 – ICT risk management
  • Article 13 – Security of network and information systems
• NIST CSF
  • PR.AC-4 – Access permissions and revocation
  • PR.IP-12 – Asset management and lifecycle

Evidence Library

Comply Agent shows the required audit evidence:

1. Termination Checklist

Completed checklists for terminated employees, indicating asset return.

2. Asset Return Log

Records of assets returned by departing personnel, including dates and signatures.

3. Equipment Receipt Records

Documentation of returned equipment, including model, serial number, and condition.

FAQs: ISO 27001 Return of Assets (Clause A.5.11)

1. What is the Return of Assets control?

It ensures all company assets are returned when personnel leave.

2. Who owns this control?

Comply Agent shows HR and IT departments jointly own it.

3. What do auditors check?

• Signed offboarding checklists
• Asset return records
• Evidence of access revocation

4. Why is this control critical?

Because unreturned assets and active access are common causes of data breaches.

5. Is automation required?

Not mandatory, but highly recommended for:

• Access revocation
• Asset tracking
• Workflow management