What is ISO 27001 Annex A 5.11 Return Of Assets in ISO 27001?
Annex A 5.11 is a control requiring the return of all information assets upon termination of employment. This procedure involves documented handovers integrated into existing HR workflows. It protects against the loss of physical hardware and digital intellectual property. Success depends on maintaining accurate asset records in internal tools.
Auditor’s Eye: The Shortcut Trap
Relying on a green tick in a SaaS compliance platform is a mistake. Auditors want to see the link between HR actions and IT results. We look for Jira tickets or SharePoint lists that show human validation. Automated platforms often lack the evidence of physical asset verification. Without a signature or timestamped log in your native systems, the process is invisible. Compliance must live in your daily operational tools. Auditors will fail a process that exists only inside a “black box” portal.
Transition Table (2013 vs 2022)
| Feature | ISO 27001:2013 Reference | ISO 27001:2022 Reference |
|---|---|---|
| Control ID | A.8.1.4 | 5.11 |
| Control Name | Return of Assets | Return of Assets |
| Strategic Shift | Focus on physical items. | Expanded focus on digital assets and information. |
How to Implement ISO 27001 Annex A 5.11 Return Of Assets (Step-by-Step)
Implementation requires integrating the return process into your business-as-usual tools. You must treat this as a cultural requirement for all staff. Use your existing document repositories to track progress. Manual oversight ensures that no proprietary data leaves the building.
- Design the Workflow: Create a standard offboarding template in Jira. List every asset type that requires recovery.
- Audit Current Assignments: Review the employee’s equipment list in SharePoint. Cross-reference this with recent procurement records.
- Conduct the Handover: Meet with the employee to collect hardware. Document the physical state of each item.
- Update Asset Status: Mark items as “Returned” or “Available” in your central DBMS. Record the date and time of return.
- Review and Close: Ensure the line manager signs off the completion. Store this record in the employee’s personnel file.
ISO 27001 Annex A 5.11 Return Of Assets Audit Evidence Checklist
The auditor seeks evidence of human intent and thorough record-keeping. Manual records prove that the process is functioning. Avoid showing dashboard summaries from SaaS tools.
- Completed and signed exit checklists from SharePoint.
- Jira sub-tasks showing IT department confirmation of receipt.
- History logs in the asset management system showing status changes.
- Internal email threads discussing the return of specialist equipment.
- Signed acknowledgements of post-employment security obligations.
Relational Mapping
Annex A 5.11 connects directly to Clause 5.9 (Inventory of Information). It relies on Clause 5.10 (Acceptable Use) for initial asset assignment rules. This control also underpins Clause 6.4 (Termination of Employment). Without successful return of assets, disciplinary or legal actions are difficult to pursue.
Auditor Interview
Auditor: How do you know which assets an employee has when they resign?
User: We check the asset register in our SharePoint Document Management System.
Auditor: What happens if a laptop is not returned on the final day?
User: HR triggers a specific escalation task in Jira for the management team.
Auditor: Where is the proof that the IT team verified the returned hardware?
User: The IT technician leaves a comment and closes the recovery ticket in our internal system.
Common Non-Conformities
| Failure Type | Description |
|---|---|
| Automated Complacency | Relying on a SaaS tool that marks assets returned without verifying physical serial numbers. |
| Incomplete Records | Asset logs show assignments but lack a history of the return date or handler. |
| Disconnected Silos | HR completes the exit interview but fails to notify IT to recover the hardware. |
Frequently Asked Questions
When must assets be returned?
Assets must be returned upon termination of employment, contract or agreement. This includes hardware, software, and physical documents. The process should occur before the individual leaves the premises. Timely recovery prevents unauthorised access to sensitive information.
What items are included in Annex A 5.11?
This control includes all physical and digital assets. Common examples are laptops, mobile phones, and access cards. It also covers proprietary software and physical files. Any item belonging to the organisation falls under this requirement.
Who manages the return of assets?
The organisation must assign responsibility to specific departments. HR and IT usually co-ordinate the recovery process. The line manager often verifies the return of specific project materials. Clear roles ensure no items are missed during offboarding.
Would you like me to generate a Jira workflow template for this specific control?