Offboarding an employee used to be relatively simple: you’d collect their building pass, take back their laptop, and wish them well. But in today’s world of remote work, cloud accounts, and personal devices, “getting your stuff back” has become significantly more complex. This is where ISO 27001:2022 Annex A 5.11, “Return of Assets,” comes into play.
If you are transitioning from the 2013 version of the standard, you’ll remember this control as A.8.1.4. While the core objective remains the same, the 2022 update reflects the modern reality that an “asset” is rarely just a physical object anymore. Let’s look at what has evolved and how you should be handling asset returns today.
Table of contents
The Structural Shift: From A.8.1.4 to A.5.11
In the 2013 version, the Return of Assets control was part of the A.8 “Asset Management” domain. In the 2022 revision, it has been reclassified as Annex A 5.11 and placed under the Organisational theme.
This reclassification is important. It highlights that returning assets isn’t just a logistics or IT task – it is a fundamental organisational process that requires coordination between HR, IT, and department heads. According to Hightable.io, this control is a “live test” of your operational control. It’s one thing to have an asset register; it’s another to prove that you can successfully recall every item and credential when someone leaves the business.
What Has Actually Changed in the Requirement?
While the formal definition hasn’t been completely rewritten, the 2022 version places a much heavier emphasis on evidence and digital assets. In 2013, auditors were often satisfied with a signed paper checklist. In 2022, the expectations have matured:
- Broadened Asset Definition: It’s not just laptops and keys anymore. It includes specialist equipment, physical tokens, smartcards, physical copies of information, and even knowledge transfer (intellectual property).
- Focus on Information: The 2022 standard is more explicit about the return of information itself. If an employee has company data on a personal device (BYOD), you must have a process to ensure that data is deleted or transferred back to the company.
- Proof of Return: The control now explicitly states that the return of assets should be evidenced. You need a verifiable audit trail showing that the return actually happened and was logged in your asset register.
Addressing the “Remote Work” Gap
One of the biggest real-world changes since the 2013 standard is the rise of remote and hybrid working. The 2022 version of Annex A 5.11 acknowledges the risks associated with assets that are not physically on your premises.
As Hightable.io highlights, you now need to consider the secure transport of assets being returned via courier. If a high-value laptop containing sensitive data is being shipped back to HQ, is it encrypted? Is there a risk of it being intercepted? The 2022 standard encourages organisations to consider remote-wiping devices before they are even put in the post to ensure that a lost parcel doesn’t become a major data breach.
Key Implementation Steps for the 2022 Standard
To successfully transition your “Return of Assets” process to the 2022 standard, consider these practical steps:
- Unified Exit Procedures: Ensure your HR “Leaver” process is tied directly to your IT asset register. HR should trigger the alert, but IT must confirm the physical or digital receipt of the assets.
- Handle the Grey Zones: Don’t just focus on permanent employees. Ensure your contracts with third parties and contractors have explicit “return of assets” clauses that are actually enforced.
- BYOD and Data Deletion: If you allow personal devices, you must have a documented procedure for removing company data. This might involve Mobile Device Management (MDM) software or a formal declaration from the leaver.
- Intellectual Property: Consider the “intangible” assets. Ensure that critical knowledge, passwords, and administrative rights are transferred to a remaining team member before the leaver’s account is disabled.
What the Auditor Will Look For
When an auditor reviews your compliance with Annex A 5.11, they won’t just look at your policy; they will look at your history. They are likely to pick a sample of employees who have left in the last six months and ask for the specific evidence of their asset return.
They will check if your asset register was updated to show the items are back in stock and if the return date matches the employee’s departure date. If there are missing items, they will want to see that you logged it as a security incident and took appropriate steps to mitigate the risk.
The move from 2013 to 2022 represents a shift from a simple “checklist” to a “lifecycle” mindset. By ensuring that assets are returned promptly and securely, you are closing one of the most common windows for data exfiltration and maintaining the integrity of your security posture.