What the auditor wants to verify
Audit objective
Verify that off-site assets are authorized, protected, tracked, periodically confirmed, returned, erased where needed, and risk-accepted where off-site protection is weaker.
Evidence to request
| Evidence | Purpose |
|---|---|
| Off-premises asset policy | Shows removal rules are defined |
| Off-premises risk assessment | Shows the risk profile was assessed |
| Asset removal authorization records | Shows removal is approved |
| Off-site asset register | Shows location, custodian, and accountability |
| Long-term loan attestations | Shows ongoing possession is confirmed |
| MDM/encryption evidence | Shows portable assets are protected |
| BYOD policy/enrollment records | Shows personal-device access is controlled |
| Leaver asset return records | Shows assets are recovered |
| Secure erase records | Shows organizational data is removed before transfer/retention |
| Risk acceptance records | Shows residual off-site risk is approved |
Strong evidence
Strong evidence test
Strong evidence proves custody, authorization, protection, periodic confirmation, return, and accepted residual risk.
- Asset removal is authorized and logged.
- Off-site assets are recorded with custodian, location, and review date.
- Mobile devices are encrypted and managed.
- Long-term loans are periodically attested.
- BYOD use is governed.
- Leavers return equipment or data is securely erased.
- Risk acceptance exists where off-site protection is weaker than on-site protection.
Weak evidence
Weak evidence warning
Weak evidence relies on trust instead of traceable asset custody.
- Staff take assets home without records.
- Asset inventory does not identify off-site assets.
- No evidence confirms long-term loan assets still exist.
- BYOD is informal.
- Leaver records are incomplete.
- Insurance exists but security conditions are unknown.
Sample interview questions
- What assets may leave the premises?
- Who authorizes off-site asset use?
- How do you know where off-site assets are?
- What controls protect laptops, phones, paper files, and removable media?
- How is BYOD controlled?
- What happens when a leaver has company assets at home?
- Who accepts residual off-site risk?
Common nonconformities
- Off-site asset risks not assessed.
- Asset removal not authorized or logged.
- Off-site register missing or incomplete.
- Mobile/BYOD controls weak.
- Long-term loans not periodically confirmed.
- Leaver return process lacks evidence.
- Residual risk not approved.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 9
Note Metadata
Aliases: A.7.9 Evidence
Source: 04 Audit Evidence Packs/A.7.9 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- Audit Evidence MOC
- AQ-ISO27001-A.7.9 Security of Assets Off-Premises
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.9 Security of Assets Off-Premises
- A.7.9 Audit Checklist
- Long-Term Asset Loan Attestation
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Audit Evidence Index