Transitioning from ISO 27001:2013 to the 2022 update involves more than just renumbering controls. It represents a fundamental shift in how we view the “perimeter” of our businesses. In the 2013 era, assets usually stayed within the four walls of an office. Today, your assets are in coffee shops, home offices, and transit hubs. This modern reality is exactly why Annex A 7.9: Security of Assets Off-Premises has been refined to be more comprehensive and risk-aware.
Table of contents
The Evolution from 11.2.6 to 7.9
In the older ISO 27001:2013 standard, the security of assets used outside the office was covered under Control 11.2.6. It was a relatively simple requirement: “Security should be applied to off-site assets taking into account the different risks of working outside the organisation’s premises.”
In the 2022 version, this has been rebranded as Annex A 7.9 and placed within the Physical Controls theme. According to experts at Hightable.io, while the intent remains to prevent loss, damage, or compromise, the new version is much more prescriptive. The shift to a more detailed guidance structure reflects a decade of change in remote working habits and the proliferation of mobile technology.
What is New in Annex A 7.9?
The 2022 version of the standard introduces several specific requirements that were either absent or only vaguely hinted at in the 2013 version. If you are updating your Statement of Applicability (SoA), you need to pay attention to these key differences:
- Unauthorised Viewing (Screen Privacy): One of the most practical additions is the requirement to prevent the unauthorised viewing of information on screens in public places. Whether it’s on a train or in an airport lounge, the 2022 update expects you to consider physical privacy filters or employee training to prevent “shoulder surfing.”
- Remote Wipe and Tracking: While many companies did this anyway, the 2022 guidance is now more explicit about having the technical capability to track and remotely wipe devices that are lost or stolen while off-premises.
- Permanent Off-Site Equipment: The 2013 version focused heavily on “portable” assets. The 2022 update provides separate, specific guidance for equipment that is permanently installed off-site, such as smart meters, antennas, or ATMs.
- Prohibition of Unattended Devices: The guidance is stricter regarding leaving equipment unattended in public spaces. In the 2022 world, “I only left my laptop for a minute to get a coffee” is a clear non-conformity.
The Role of Control Attributes
A major feature of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.9, the control is officially tagged as a Preventive control. This helps security managers explain to auditors that off-premises security isn’t just a reaction to a lost device; it is a proactive strategy to ensure that protection follows the asset wherever it goes.
As noted by Hightable.io, these attributes (specifically Confidentiality and Availability) allow you to map your physical asset security directly to your data protection policies. This provides a unified view of risk that was often siloed in the 14-domain structure of the 2013 version.
Practical Implementation: Modern Expectations
Under the 2022 standard, an auditor is looking for a “Chain of Custody” for your off-site assets. To satisfy the requirements of Annex A 7.9, your implementation should include:
- Authorisation Procedures: A formal process for approving the removal of assets from the premises.
- Comprehensive Asset Register: A log that doesn’t just list what you own, but who has it and where it is authorised to be.
- Environmental Protection: Guidelines for protecting assets from external threats like extreme heat, moisture, or electromagnetic interference while they are off-site.
What Will an Auditor Look For?
When you transition to the 2022 version, the auditor will likely focus on evidence of enforcement. They won’t just look at your policy; they will want to see it in action. Expect questions such as:
- “Show me the log for equipment currently on loan to contractors.”
- “What specific training do your remote workers receive regarding screen privacy in public?”
- “How do you verify that an asset has been returned in a secure state (e.g., wiped of temporary data)?”
- “Can you demonstrate the remote-lock capability for a company-issued mobile device?”
Why the Transition to 7.9 Matters
The update to Annex A 7.9 reflects a world where the office is no longer a “fortress.” In 2013, we protected the building. In 2026, we must protect the asset itself, regardless of its location. By treating the security of off-premises assets as a primary Physical Control, ISO 27001:2022 ensures that your data remains safe in an increasingly mobile and distributed workforce.
As suggested by Hightable.io, the best way to move forward is to refresh your Mobile Device and Off-Site Asset Policy. Ensure it covers the new 2022 nuances like screen privacy and remote management. This simple step doesn’t just pass an audit; it builds a culture of responsibility that protects your organization’s reputation every time an employee opens their laptop outside the office.