ISO 27001:2022 Annex A Control 5.11: Return of Assets
Annex A control 5.11 of the 2022 version of the ISO27001 standard can be mapped to ISO 27001:2013 Annex A 8.1.4.
Control 5.11 expresses that personnel and other relevant parties must return all assets owned by their organisation in the event of a change in employment, contract, or agreement. In the event of employment termination, personnel and other relevant parties should also return all information and assets.
A documented process should be put in place to manage the return of assets, outlined for each individual or supplier who passes through the process. Organisations should have written policies that clarify what assets are to be returned upon termination.
Why is Control 5.11 important?
Information assets are hugely valuable to any organisation, whether it be financial, research-based, or operational. If this information is shared, it could put employees, stakeholders, and the organisation as a whole at risk.
All assets of employees and other users should be returned when their employment at the organisation is terminated. Some examples of information assets are as follows:
- Digital files
- Databases
- Physical documents
- Intangible items like intellectual property or trade secrets
How to build an exit strategy?
An organisation’s change and termination processes must be formalised and should include the return of all previously issued assets. Any access rights, digital certificates, passwords, and accounts should be removed as part of this process, as unauthorised access can greatly increase the risk of a data breach.
A secure return process must make sure that all assets are accounted for. Annex 5.11 asks that organisations identify and document all assets to be returned, including portable storage devices, user endpoint devices, specialist equipment, physical copies of information, and authentication software like smartcards.
What are the changes from ISO27001:2013?
Annex 5.11 is an updated version of ISO27001:2013 Annex A control 8.1.4. The controls listed are essentially the same in terms of language, but Annex 5.11 features an attributes table designed to allow users to record what they are implementing.
Annex 5.11 also specifies which assets can be returned at the end of employment (user endpoint devices, portable storage devices, specialist equipment, authentication hardware, and physical copies of information). This list is not included in ISO27001:2013 Annex A control 8.1.4.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.