Requirement
Requirement lens
This control asks whether assets taken outside the organization’s premises are protected according to the risk they create.
“Off-site assets shall be protected.”
Plain-language meaning
The organization should protect equipment, documents, data, software, and storage media when they leave the organization’s controlled environment.
Off-premises work creates flexibility, but it weakens the normal physical protections around information. Laptops, paper files, removable media, mobile devices, and BYOD devices can be lost, stolen, viewed, copied, damaged, or accessed in locations the organization does not control.
Why this matters
An asset outside the office can still contain or access organizational information. A stolen laptop, forgotten paper file, lost USB drive, or unmanaged BYOD device can become a confidentiality breach, availability issue, regulatory event, or evidence gap.
The main ISMS question is not “can people work remotely?” It is “what assets leave, who is responsible, what protection applies, and has management accepted any residual off-site risk?”
Implementation guidance
Implementer focus
Decide what can leave the premises, under what authorization, with what controls, and how the organization proves it still knows where the asset is.
1. Define the off-premises asset policy
The organization should decide which approach applies:
| Approach | Practical meaning | Typical use |
|---|---|---|
| Prohibit removal | Sensitive assets cannot leave the premises | Highly restricted environments |
| Permit removal with controls | Assets may leave with authorization and protection | Most organizations |
| Permit removal without asset-specific controls | Higher risk; requires strong information-handling controls | Only where justified and accepted |
Uncontrolled removal of sensitive information is risky. If the organization accepts higher off-site risk, the acceptance should be explicit, reviewed, and approved by the right level of management.
2. Require formal authorization
Equipment, information, software, and media should not be taken or transmitted off-site without authorization.
Authorization should define:
- what asset may leave;
- who may carry or use it;
- purpose and duration;
- permitted locations;
- required controls;
- return or review date;
- additional jurisdiction or border requirements where relevant.
3. Keep accountability for assets
The organization should know where assets are and who is responsible for them.
Controls may include:
- asset registers;
- ownership labels where practical;
- booking-out and return records;
- long-term loan attestation;
- periodic possession checks;
- leaver asset return process;
- secure erase before staff keep or buy equipment.
4. Protect mobile and portable assets
Controls should match the sensitivity of the information and the likelihood of loss or theft.
Examples:
- full-disk encryption;
- strong authentication;
- screen locking;
- remote wipe or device management;
- secure transport bags;
- no unattended laptops in vehicles or public places;
- privacy screens;
- rules for paper files and removable media;
- incident reporting for loss or theft.
5. Address BYOD and jurisdiction risk
BYOD complicates control because the organization may not own the device, but may still own or be responsible for the information accessed from it.
When assets or access cross jurisdictions, consider whether local laws, inspection powers, or data-access requirements change the risk profile.
6. Link to insurance and risk acceptance
Insurance may be relevant for organization-owned equipment off-premises, but it is not a security control by itself. Check policy conditions, excess, and whether the organization must meet specific protection requirements before a claim is valid.
If equivalent off-site protection is impossible or impractical, top management should make an informed decision about whether to tolerate the increased risk.
Audit guidance
Auditor focus
Check whether the organization knows what assets leave the premises, has assessed the off-site risk, and can prove authorization, protection, return, and management acceptance where needed.
Auditors should verify:
- off-premises asset risk assessment;
- policy and procedures for asset removal;
- authorization records;
- booking-out/return records;
- long-term loan attestations;
- BYOD controls where applicable;
- mobile equipment protection controls;
- leaver asset return records;
- secure erase records for retained or purchased devices;
- insurance conditions where relevant;
- management risk acceptance where off-site protection is weaker than on-site protection.
Auditors should test whether off-site security is comparable with on-site protection or whether the residual difference has been accepted by an appropriate role.
Evidence examples
Evidence quality
Strong evidence proves the organization controls the full off-premises asset lifecycle: authorization, protection, possession, return, and exceptions.
| Evidence | What it proves |
|---|---|
| Off-premises asset policy | Rules are defined |
| Asset removal authorization records | Removal is controlled |
| Off-site asset register | Location and custodian are known |
| Long-term loan attestation | Ongoing possession is periodically confirmed |
| Mobile device management/encryption evidence | Portable assets are protected |
| BYOD policy and enrollment records | Personal-device access is controlled |
| Leaver asset return checklist | Assets are recovered before departure |
| Secure erase certificate/record | Information is removed before transfer or retention |
| Risk acceptance record | Management accepted residual off-site risk |
| Insurance records | Off-site equipment loss conditions are understood |
Strong evidence
- Off-premises risks are assessed and reviewed.
- Asset removal requires authorization and is logged.
- Long-term off-site assets are periodically attested.
- Mobile devices use appropriate technical controls.
- BYOD access is governed and controlled.
- Leaver processes recover assets or erase information.
- Risk acceptance is approved when off-site protection is weaker than on-site protection.
Weak evidence
- Staff can take assets home without logging or authorization.
- Asset inventory does not show off-site location or custodian.
- BYOD is allowed informally.
- No periodic check confirms long-term loan assets still exist.
- Leavers are trusted to return equipment without evidence.
- Insurance exists but conditions are not understood.
- Management has not accepted the increased off-site risk.
Common failures
Implementation watchouts
A.7.9 fails when remote work is approved but off-site asset accountability is not designed.
| Failure | Why it matters |
|---|---|
| No off-site asset register | The organization cannot prove custody or location |
| No authorization process | Sensitive assets leave without control |
| BYOD unmanaged | Organization data sits on devices outside control |
| Long-term loans not attested | Lost or unused assets remain invisible |
| Leaver return process weak | Equipment and data leave with former personnel |
| Off-site protection weaker but not accepted | Management is unaware of residual risk |
| Cross-border use ignored | Legal access and protection requirements may change |
Exam traps
Exam focus
A.7.9 is about protecting assets away from premises, not only remote access technology.
| Trap | Correct interpretation |
|---|---|
| VPN solves off-premises asset security | Physical assets, paper, media, BYOD, custody, and loss/theft risks remain |
| BYOD is out of scope because the organization does not own it | Organization information accessed from BYOD still creates risk |
| Insurance replaces security controls | Insurance may reduce financial impact but does not protect confidentiality |
| Asset removal can be informal | Removal of sensitive assets should be authorized and recorded |
| Off-site protection must always equal on-site protection | It should be comparable where practical; differences need informed acceptance |
Related controls and concepts
- A.7 Physical Controls MOC
- A.6.7 Remote Working
- A.7.8 Equipment Siting and Protection
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.12 Classification of Information
- A.5.15 Access Control
- A.5.18 Access Rights
- Risk Assessment
- Statement of Applicability
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Long-Term Asset Loan Attestation
- A.7.9 Audit Evidence Pack
- A.7.9 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.9 requires the organization to protect assets when they leave controlled premises. The key audit trail is authorization, custody, protection, return, and accepted residual risk.
- Decide what can leave and what cannot.
- Authorize and log asset removal.
- Protect portable and mobile assets.
- Include BYOD and remote equipment in scope.
- Periodically confirm long-term off-site assets.
- Recover or securely erase assets during leaver processes.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Off premises assets
- Remote working
- Audit
Note Metadata
Aliases: A.7.9, Security of Assets Off-Premises, Security of Assets Off Premises
Source: 04 Annex A Physical Controls/A.7.9 Security of Assets Off-Premises.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.9 Audit Evidence Pack
- AQ-ISO27001-A.7.9 Security of Assets Off-Premises
- ISO 27001 A.8.1 - User End Point Devices
- A.8 Technological Controls MOC
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.9 Security of Assets Off-Premises
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-024 - Off-Premises Assets and Storage Media
- ISO 27002 Annex A Control Interpretation Map
- A.7.9 Audit Checklist
- Endpoint Device Security Standard
- Long-Term Asset Loan Attestation
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Annex A Controls MOC