UnixTime

Research Note

ISO 27001 A.7.9 - Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

On this page

Requirement

Requirement lens

This control asks whether assets taken outside the organization’s premises are protected according to the risk they create.

“Off-site assets shall be protected.”

Plain-language meaning

The organization should protect equipment, documents, data, software, and storage media when they leave the organization’s controlled environment.

Off-premises work creates flexibility, but it weakens the normal physical protections around information. Laptops, paper files, removable media, mobile devices, and BYOD devices can be lost, stolen, viewed, copied, damaged, or accessed in locations the organization does not control.

Why this matters

An asset outside the office can still contain or access organizational information. A stolen laptop, forgotten paper file, lost USB drive, or unmanaged BYOD device can become a confidentiality breach, availability issue, regulatory event, or evidence gap.

The main ISMS question is not “can people work remotely?” It is “what assets leave, who is responsible, what protection applies, and has management accepted any residual off-site risk?”

Implementation guidance

Implementer focus

Decide what can leave the premises, under what authorization, with what controls, and how the organization proves it still knows where the asset is.

1. Define the off-premises asset policy

The organization should decide which approach applies:

Approach Practical meaning Typical use
Prohibit removal Sensitive assets cannot leave the premises Highly restricted environments
Permit removal with controls Assets may leave with authorization and protection Most organizations
Permit removal without asset-specific controls Higher risk; requires strong information-handling controls Only where justified and accepted

Uncontrolled removal of sensitive information is risky. If the organization accepts higher off-site risk, the acceptance should be explicit, reviewed, and approved by the right level of management.

2. Require formal authorization

Equipment, information, software, and media should not be taken or transmitted off-site without authorization.

Authorization should define:

  • what asset may leave;
  • who may carry or use it;
  • purpose and duration;
  • permitted locations;
  • required controls;
  • return or review date;
  • additional jurisdiction or border requirements where relevant.

3. Keep accountability for assets

The organization should know where assets are and who is responsible for them.

Controls may include:

  • asset registers;
  • ownership labels where practical;
  • booking-out and return records;
  • long-term loan attestation;
  • periodic possession checks;
  • leaver asset return process;
  • secure erase before staff keep or buy equipment.

4. Protect mobile and portable assets

Controls should match the sensitivity of the information and the likelihood of loss or theft.

Examples:

  • full-disk encryption;
  • strong authentication;
  • screen locking;
  • remote wipe or device management;
  • secure transport bags;
  • no unattended laptops in vehicles or public places;
  • privacy screens;
  • rules for paper files and removable media;
  • incident reporting for loss or theft.

5. Address BYOD and jurisdiction risk

BYOD complicates control because the organization may not own the device, but may still own or be responsible for the information accessed from it.

When assets or access cross jurisdictions, consider whether local laws, inspection powers, or data-access requirements change the risk profile.

Insurance may be relevant for organization-owned equipment off-premises, but it is not a security control by itself. Check policy conditions, excess, and whether the organization must meet specific protection requirements before a claim is valid.

If equivalent off-site protection is impossible or impractical, top management should make an informed decision about whether to tolerate the increased risk.

Audit guidance

Auditor focus

Check whether the organization knows what assets leave the premises, has assessed the off-site risk, and can prove authorization, protection, return, and management acceptance where needed.

Auditors should verify:

  • off-premises asset risk assessment;
  • policy and procedures for asset removal;
  • authorization records;
  • booking-out/return records;
  • long-term loan attestations;
  • BYOD controls where applicable;
  • mobile equipment protection controls;
  • leaver asset return records;
  • secure erase records for retained or purchased devices;
  • insurance conditions where relevant;
  • management risk acceptance where off-site protection is weaker than on-site protection.

Auditors should test whether off-site security is comparable with on-site protection or whether the residual difference has been accepted by an appropriate role.

Evidence examples

Evidence quality

Strong evidence proves the organization controls the full off-premises asset lifecycle: authorization, protection, possession, return, and exceptions.

Evidence What it proves
Off-premises asset policy Rules are defined
Asset removal authorization records Removal is controlled
Off-site asset register Location and custodian are known
Long-term loan attestation Ongoing possession is periodically confirmed
Mobile device management/encryption evidence Portable assets are protected
BYOD policy and enrollment records Personal-device access is controlled
Leaver asset return checklist Assets are recovered before departure
Secure erase certificate/record Information is removed before transfer or retention
Risk acceptance record Management accepted residual off-site risk
Insurance records Off-site equipment loss conditions are understood

Strong evidence

  • Off-premises risks are assessed and reviewed.
  • Asset removal requires authorization and is logged.
  • Long-term off-site assets are periodically attested.
  • Mobile devices use appropriate technical controls.
  • BYOD access is governed and controlled.
  • Leaver processes recover assets or erase information.
  • Risk acceptance is approved when off-site protection is weaker than on-site protection.

Weak evidence

  • Staff can take assets home without logging or authorization.
  • Asset inventory does not show off-site location or custodian.
  • BYOD is allowed informally.
  • No periodic check confirms long-term loan assets still exist.
  • Leavers are trusted to return equipment without evidence.
  • Insurance exists but conditions are not understood.
  • Management has not accepted the increased off-site risk.

Common failures

Implementation watchouts

A.7.9 fails when remote work is approved but off-site asset accountability is not designed.

Failure Why it matters
No off-site asset register The organization cannot prove custody or location
No authorization process Sensitive assets leave without control
BYOD unmanaged Organization data sits on devices outside control
Long-term loans not attested Lost or unused assets remain invisible
Leaver return process weak Equipment and data leave with former personnel
Off-site protection weaker but not accepted Management is unaware of residual risk
Cross-border use ignored Legal access and protection requirements may change

Exam traps

Exam focus

A.7.9 is about protecting assets away from premises, not only remote access technology.

Trap Correct interpretation
VPN solves off-premises asset security Physical assets, paper, media, BYOD, custody, and loss/theft risks remain
BYOD is out of scope because the organization does not own it Organization information accessed from BYOD still creates risk
Insurance replaces security controls Insurance may reduce financial impact but does not protect confidentiality
Asset removal can be informal Removal of sensitive assets should be authorized and recorded
Off-site protection must always equal on-site protection It should be comparable where practical; differences need informed acceptance

KB-ready summary

Mentor takeaway

A.7.9 requires the organization to protect assets when they leave controlled premises. The key audit trail is authorization, custody, protection, return, and accepted residual risk.

  • Decide what can leave and what cannot.
  • Authorize and log asset removal.
  • Protect portable and mobile assets.
  • Include BYOD and remote equipment in scope.
  • Periodically confirm long-term off-site assets.
  • Recover or securely erase assets during leaver processes.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Off premises assets
  • Remote working
  • Audit

Note Metadata

Aliases: A.7.9, Security of Assets Off-Premises, Security of Assets Off Premises

Source: 04 Annex A Physical Controls/A.7.9 Security of Assets Off-Premises.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.