How to implement ISO 27001 Annex A 7.9 – A certification bodies guide

ISO 27001 Annex A 7.9 A Certification Bodies Official Guide to Implementing

How to Implement ISO 27001 Annex A 7.9 Security of Assets Off-Premises

Working environments have changed. We no longer sit in a secure office from nine to five every day. We work from home, from coffee shops, and on trains. This flexibility is great for business, but it gives security managers a headache. ISO 27001 Annex A 7.9 addresses this specific challenge.

As a certification body, we at ISO27001.com see many organisations struggle here. The control is titled “Security of assets off-premises.” It requires you to protect equipment and information when it leaves your physical site. It is not just about laptops. It covers mobile phones, USB drives, and even paper documents.

This guide will help you understand what you need to do. We will explain how to implement the control and what we expect to see during an audit.

Table of contents

Understanding the Requirement

The core of Annex A 7.9 is simple. You must ensure that assets remain secure regardless of where they are. The risks change when you step outside your office. In the office, you have physical security like badge readers and locked doors. Outside, you face theft, loss, and unauthorized viewing.

You need to decide what assets can leave the premises. Not everything should go home with employees. Once you decide what can leave, you must apply rules to keep those items safe.

Creating a Clear Policy

The first step is documentation. You cannot expect staff to follow rules if you do not write them down. We expect to see a clear policy on off-site assets. This might be part of your mobile device policy or a remote working policy.

Your policy should state who is allowed to take assets off-site. It should also specify what authorization they need. For example, a sales person might have standing approval to take a laptop home. However, a developer taking a server home would need specific sign-off.

You must also set time limits. If an asset is off-site, how long can it stay there? We often see policies that require equipment to return to the office periodically for updates or checks.

Physical Protection Measures

You must provide guidance on physical security. When a laptop is in a car, where should it be? The answer is “out of sight” and preferably in the boot. You should instruct staff never to leave devices unattended in public places.

We also look for rules regarding family members. It is common for an employee to let a child or spouse use a work device. Your policy should strictly forbid this. Family members are not vetted staff. They could accidentally delete files or install malware.

Technical Controls to Support You

Policy is good, but technology is better. You should use encryption on all devices that leave the building. If a laptop is left on a train, encryption ensures the data remains safe. This is a critical point for us. If we see unencrypted laptops going off-site, it will likely be a non-conformity.

You should also have the ability to remote wipe devices. If a phone is stolen, you need a way to delete the corporate data immediately. Make sure you test this capability. We might ask you for evidence of a test.

Handling Paper Documents

It is easy to focus on digital gadgets and forget paper. Annex A 7.9 applies to information in all forms. If you print a sensitive contract and take it home, you must protect it.

Tell your staff not to read sensitive papers on public transport. Shoulder surfing is a real risk. Also, advise them on how to dispose of paper at home. Throwing confidential client data in a household recycling bin is a breach. You should require them to bring the paper back to the office for shredding.

What the Auditor Expects

When we come to audit you, we look for evidence. We do not just take your word for it. Here is a list of things we might check regarding Annex A 7.9.

  • The Policy: We will read your policy to see if it covers physical security, family use, and travel rules.
  • Asset Register: We will check if you know which assets are off-site and who has them.
  • Training Records: We want to see that you told staff how to keep devices safe. A signature on a policy is a good start.
  • Incident Logs: If a device was lost, how did you handle it? We will review your incident reports.

We might also interview your staff. We often ask employees simple questions. “What do you do with your laptop when you go to the gym after work?” Their answer tells us if your training is effective.

Common Pitfalls to Avoid

We see the same mistakes often. One common error is ignoring “Bring Your Own Device” or BYOD. If staff use personal phones for work email, those phones are assets off-premises. You need to control the work data on those phones.

Another mistake is lack of awareness. You can have the best firewalls in the world, but they do not help if a laptop is stolen from an unlocked car. Focus on training your people. Remind them of the risks regularly.

ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Final Thoughts

Implementing Annex A 7.9 does not have to be complex. It is about common sense and clear rules. You are extending your security bubble to cover your staff wherever they go.

Start by reviewing your current policy. Does it explicitly mention off-site risks? If not, update it today. If you need templates or more detailed guidance, ISO27001.com has resources to assist you. Protecting your assets off-premises is a key step toward a robust information security management system.