How do I manage off-site asset approvals?

Manage approvals by integrating workflows into your existing Jira or service desk. Every asset removal requires a documented authorization record. This creates a clear audit trail for external auditors. Avoid using separate compliance software for these daily operational tasks.

What physical controls are required for off-site assets?

You must implement controls to prevent theft or damage in transit. Rules should prohibit leaving laptops in unattended vehicles. Staff must follow documented guidelines published on the internal wiki. Evidence must show that staff acknowledge these specific responsibilities.

ISO 27001:2022 Annex A 7.9 Guide

Q: What is ISO 27001 Annex A 7.9?

Annex A 7.9 requires protecting assets used outside company premises. This includes laptops, mobile devices, and physical media. You must document authorization and physical security rules. Management should track these assets within internal repositories like SharePoint.

What is ISO 27001 Annex A 7.9 in ISO 27001?

ISO 27001 Annex A 7.9 is a documented process for securing assets away from company premises. This control integrates into daily operations through SharePoint and Jira workflows. It ensures assets like laptops or drives remain protected. Management must authorize all removals and track physical locations continuously.

Auditor’s Eye: The Shortcut Trap

Automated SaaS platforms often provide a generic “Off-Site Policy” with a green tick. This creates a dangerous lack of management ownership. Auditors want to see your actual Jira workflows for asset removals. We check SharePoint version history for your asset registers. A platform dashboard cannot prove that a manager actually authorized a laptop’s removal. We prefer evidence within your native document repositories. Real compliance exists in your internal records: not a third-party software interface.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Key Focus Areas
Annex A 11.2.6	Annex A 7.9	Authorization, Physical Protection, Tracking.

How to Implement ISO 27001 Annex A 7.9 (Step-by-Step)

Implement Annex A 7.9 by embedding security into your current IT workflows. This focus on cultural change ensures long-term compliance. Use existing tools like SharePoint and Jira for all records.

Update your SharePoint asset register to include “Current Location” fields.
Configure a Jira workflow for asset removal requests.
Draft physical protection guidelines on your internal Confluence wiki.
Ensure staff sign off on these guidelines during induction.
Perform periodic spot checks of assets listed as off-site.

ISO 27001 Annex A 7.9 Audit Evidence Checklist

Focus on manual records and internal document versions. These items prove human oversight and operational intent. Auditors check for consistency between registers and reality.

SharePoint asset register with updated status for portable hardware.
Jira approval history for laptops issued to remote staff.
Meeting minutes from security reviews discussing asset loss.
Staff acknowledgement logs for off-site security procedures.
Insurance documents covering equipment used outside the office.

Relational Mapping

Annex A 7.9 depends on several other ISO 27001 controls:

Clause 8.1 (Operational Planning): Directs the management of asset security.
Annex A 5.9 (Inventory of Information): Provides the foundation for tracking.
Annex A 7.10 (Storage Media): Governs the data on off-site devices.

Auditor Interview

Auditor: How do you manage the risk of equipment theft off-site?

User: We publish strict rules on our internal wiki about vehicle storage. Every removal requires a Jira ticket approval from the manager.

Auditor: How do you verify the location of off-site laptops?

User: We conduct a quarterly audit of our SharePoint asset register. Staff must confirm possession of their assigned hardware.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS platform while records are out-of-date.	Sync your SharePoint register with actual asset distribution.
Lack of Authorization	Assets removed without a documented Jira approval.	Enforce the removal workflow for all staff members.
Poor Physical Care	Laptops left in cars against documented company rules.	Re-issue guidance on the internal Confluence wiki.

Frequently Asked Questions

What is ISO 27001 Annex A 7.9?

The Bottom Line: It is the requirement to secure assets used outside the office. You must authorize every removal and track where assets go. Documented procedures should reside in your internal SharePoint system. This ensures management maintains control over hardware and data in transit.

How do I prove off-site asset security to an auditor?

The Bottom Line: Present your Jira authorization logs and SharePoint asset registers. Show that your staff have read the rules on your internal wiki. Auditors value internal records that prove daily management activity. Avoid showing dashboards from external SaaS compliance providers.

Does Annex A 7.9 apply to home workers?

The Bottom Line: Yes, all equipment used at home falls under this control. You must ensure home environments meet basic security standards. Document these expectations in your version-controlled staff handbook. Track all home-working assets in your primary organisational database.

LA CASA DE CERTIFICACIÓN