Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.”
Plain-language meaning
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.
This applies to employees, contractors, temporary workers, third-party users, suppliers, and other parties where appropriate.
Why this matters
Asset return is a common offboarding failure. Missing devices, access cards, documents, media, credit cards, keys, and copies of information create data leakage, fraud, unauthorized access, and legal risk.
The control covers more than laptops.
Examples:
- laptops, phones, tablets;
- access cards, keys, tokens, badges;
- credit cards and purchasing cards;
- removable media;
- paper files and manuals;
- software, licenses, and reference copies;
- confidential documents;
- information stored on personal devices or contractor equipment;
- cloud files or local copies;
- project material and knowledge that must transfer to the organization.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Build asset return into contracts and offboarding
Return obligations should be included in employment, contractor, supplier, and third-party agreements.
Offboarding should trigger:
- asset return;
- knowledge transfer;
- access removal;
- transfer of business records;
- secure erasure from non-organizational devices where permitted and required;
- confirmation that no organizational information remains with the leaver.
2. Cover role changes, not only termination
This control also applies when someone changes role or contract scope.
If an asset is no longer required in the new role, it should be returned or reassigned through a controlled process.
Examples:
- manager leaves finance and no longer needs finance records;
- contractor ends support for a system;
- project team member moves off a confidential project;
- administrator no longer needs privileged hardware token.
3. Use the asset inventory
Return activity should use the Information and Associated Asset Inventory or related asset records.
The process should identify:
- assets assigned to the person or party;
- information they hold;
- access cards and physical access items;
- software and licenses;
- documents and paper records;
- removable media;
- third-party or personal devices containing organizational data.
4. Record return and exceptions
Each return should be documented.
Record:
- person or third party;
- asset returned;
- date returned;
- condition;
- returned to whom;
- missing assets;
- secure erase confirmation;
- knowledge transfer completion;
- exception or escalation.
Missing assets should not disappear into email threads. Track them as incidents, HR matters, supplier issues, or corrective actions depending on severity.
5. Secure erase non-organizational assets
Where organizational information is stored on personal, contractor, or third-party equipment, the process should require return, transfer, or secure deletion of that information.
This needs legal and contractual backing. If the organization permits BYOD or third-party storage, it needs the right to require removal of organizational information.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should check whether asset return procedures are defined and applied for leavers, movers, contractors, and third-party users.
Audit samples should include:
- recent employee terminations;
- role changes;
- contractor offboarding;
- supplier user termination;
- high-risk roles;
- privileged users;
- remote workers.
The auditor should verify that records show returned assets, transferred information, secure erasure where applicable, and escalation for missing items.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Offboarding procedure | Asset return process is defined |
| Employment or contractor agreement | Return obligation is contractual |
| Asset assignment records | Organization knows what should be returned |
| Return checklist | Process is performed consistently |
| Leaver/mover records | Assets are returned during termination or role change |
| Secure erase confirmation | Organizational data removed from non-organizational devices |
| Knowledge transfer record | Business information is retained |
| Missing asset escalation | Exceptions are tracked |
| HR, IT, and facilities workflow records | Return is coordinated across functions |
| Inventory updates | Asset status reflects return, reassignment, or disposal |
Strong evidence
- Offboarding workflow automatically checks assigned assets.
- Return records cover hardware, access cards, documents, media, software, and information.
- Contractors and third-party users are included.
- Role changes trigger asset review.
- Personal or third-party devices are covered by agreement and secure erase requirements.
- Missing assets are escalated and tracked.
- Asset inventory is updated after return, reassignment, or disposal.
Weak evidence
- Return process only covers laptops.
- No record of documents, access cards, removable media, or information copies.
- Contractors are handled informally.
- Role changes do not trigger asset review.
- No secure erase process for personal or third-party devices.
- Missing assets are not escalated.
- Asset inventory does not reflect returns.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Offboarding focused only on access removal | Physical and information assets remain with leavers |
| No link to asset inventory | Organization does not know what to recover |
| Contractors excluded | Third-party data exposure risk remains |
| Role changes ignored | People retain assets they no longer need |
| BYOD not addressed | Organizational data may remain outside control |
| Missing assets not tracked | Losses become normalized |
| No knowledge transfer | Business records and operational knowledge are lost |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Return of assets is not only for employees; contractors and third-party users may be in scope.
- Termination is not the only trigger; role changes and contract changes matter.
- Assets include information and documents, not only equipment.
- Information on personal or third-party devices must be returned or securely erased where applicable.
- Asset return should link to the asset inventory.
- Access revocation and asset return are related but not the same control.
Related controls and concepts
- A.5.9 Inventory of Information and Other Associated Assets
- Information and Associated Asset Inventory
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.2 Information Security Roles and Responsibilities
- A.5.4 Management Responsibilities
- Internal Audit
- Risk Assessment
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.11 requires personnel and relevant interested parties to return organizational assets when employment, contracts, agreements, or roles end or change. The process should cover equipment, access items, software, documents, media, and organizational information, including information stored on personal or third-party equipment.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Asset management
- Offboarding
- Access control
- Audit
Note Metadata
Aliases: A.5.11, Return of Assets
Source: 02 Annex A Organizational Controls/A.5.11 Return of Assets.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.5.11 Audit Evidence Pack
- A.6.5 Audit Evidence Pack
- AQ-ISO27001-A.5.11 Return of Assets
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.11 Return of Assets
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.11 Audit Checklist
- Asset Return Checklist
- Template - Corrective Action Tracker
- Information and Associated Asset Inventory
- Leaver and Role Change Security Checklist
- Long-Term Asset Loan Attestation
- Off-Premises Asset Authorization Register
- Annex A Controls MOC