UnixTime

Research Note

ISO 27001 A.5.11 - Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.”

Plain-language meaning

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.

This applies to employees, contractors, temporary workers, third-party users, suppliers, and other parties where appropriate.

Why this matters

Asset return is a common offboarding failure. Missing devices, access cards, documents, media, credit cards, keys, and copies of information create data leakage, fraud, unauthorized access, and legal risk.

The control covers more than laptops.

Examples:

  • laptops, phones, tablets;
  • access cards, keys, tokens, badges;
  • credit cards and purchasing cards;
  • removable media;
  • paper files and manuals;
  • software, licenses, and reference copies;
  • confidential documents;
  • information stored on personal devices or contractor equipment;
  • cloud files or local copies;
  • project material and knowledge that must transfer to the organization.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Build asset return into contracts and offboarding

Return obligations should be included in employment, contractor, supplier, and third-party agreements.

Offboarding should trigger:

  • asset return;
  • knowledge transfer;
  • access removal;
  • transfer of business records;
  • secure erasure from non-organizational devices where permitted and required;
  • confirmation that no organizational information remains with the leaver.

2. Cover role changes, not only termination

This control also applies when someone changes role or contract scope.

If an asset is no longer required in the new role, it should be returned or reassigned through a controlled process.

Examples:

  • manager leaves finance and no longer needs finance records;
  • contractor ends support for a system;
  • project team member moves off a confidential project;
  • administrator no longer needs privileged hardware token.

3. Use the asset inventory

Return activity should use the Information and Associated Asset Inventory or related asset records.

The process should identify:

  • assets assigned to the person or party;
  • information they hold;
  • access cards and physical access items;
  • software and licenses;
  • documents and paper records;
  • removable media;
  • third-party or personal devices containing organizational data.

4. Record return and exceptions

Each return should be documented.

Record:

  • person or third party;
  • asset returned;
  • date returned;
  • condition;
  • returned to whom;
  • missing assets;
  • secure erase confirmation;
  • knowledge transfer completion;
  • exception or escalation.

Missing assets should not disappear into email threads. Track them as incidents, HR matters, supplier issues, or corrective actions depending on severity.

5. Secure erase non-organizational assets

Where organizational information is stored on personal, contractor, or third-party equipment, the process should require return, transfer, or secure deletion of that information.

This needs legal and contractual backing. If the organization permits BYOD or third-party storage, it needs the right to require removal of organizational information.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should check whether asset return procedures are defined and applied for leavers, movers, contractors, and third-party users.

Audit samples should include:

  • recent employee terminations;
  • role changes;
  • contractor offboarding;
  • supplier user termination;
  • high-risk roles;
  • privileged users;
  • remote workers.

The auditor should verify that records show returned assets, transferred information, secure erasure where applicable, and escalation for missing items.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Offboarding procedure Asset return process is defined
Employment or contractor agreement Return obligation is contractual
Asset assignment records Organization knows what should be returned
Return checklist Process is performed consistently
Leaver/mover records Assets are returned during termination or role change
Secure erase confirmation Organizational data removed from non-organizational devices
Knowledge transfer record Business information is retained
Missing asset escalation Exceptions are tracked
HR, IT, and facilities workflow records Return is coordinated across functions
Inventory updates Asset status reflects return, reassignment, or disposal

Strong evidence

  • Offboarding workflow automatically checks assigned assets.
  • Return records cover hardware, access cards, documents, media, software, and information.
  • Contractors and third-party users are included.
  • Role changes trigger asset review.
  • Personal or third-party devices are covered by agreement and secure erase requirements.
  • Missing assets are escalated and tracked.
  • Asset inventory is updated after return, reassignment, or disposal.

Weak evidence

  • Return process only covers laptops.
  • No record of documents, access cards, removable media, or information copies.
  • Contractors are handled informally.
  • Role changes do not trigger asset review.
  • No secure erase process for personal or third-party devices.
  • Missing assets are not escalated.
  • Asset inventory does not reflect returns.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Offboarding focused only on access removal Physical and information assets remain with leavers
No link to asset inventory Organization does not know what to recover
Contractors excluded Third-party data exposure risk remains
Role changes ignored People retain assets they no longer need
BYOD not addressed Organizational data may remain outside control
Missing assets not tracked Losses become normalized
No knowledge transfer Business records and operational knowledge are lost

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Return of assets is not only for employees; contractors and third-party users may be in scope.
  • Termination is not the only trigger; role changes and contract changes matter.
  • Assets include information and documents, not only equipment.
  • Information on personal or third-party devices must be returned or securely erased where applicable.
  • Asset return should link to the asset inventory.
  • Access revocation and asset return are related but not the same control.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.11 requires personnel and relevant interested parties to return organizational assets when employment, contracts, agreements, or roles end or change. The process should cover equipment, access items, software, documents, media, and organizational information, including information stored on personal or third-party equipment.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Asset management
  • Offboarding
  • Access control
  • Audit

Note Metadata

Aliases: A.5.11, Return of Assets

Source: 02 Annex A Organizational Controls/A.5.11 Return of Assets.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.