ISO27001:2022 - Annex A 5.11 - What’s changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.11 is Return of Assets.

What is returning assets and why is it important?

Return of assets refers to the process of ensuring that assets, such as hardware, software, and information, are returned to your organisation at the end of an employee’s or contractor’s employment. It may sound simple but is critical for the management of your ISMS for a number of reasons.

Employees and contractors are often granted access to sensitive company data, intellectual property, and systems. When they leave the organisation, assets should be retrieved to ensure they do not have continued access to any systems or sensitive information. Failing to do so could result in data breaches, unauthorised access, or potential misuse of your organisation's information. This is particularly important for compliance in industries with strict regulatory requirements for data protection, such as healthcare, technology, and finance. One such example of this relates to the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. While the listed evidences do not explicitly outline what is expected in terms of asset return, it does require sufficient protections to be put in place to ensure continued data security - Processes ensuring the return of assets is just one way in which this should be evidenced.

In terms of risk management, unreturned assets can pose a significant security risk. Former employees or contractors being able to access your network or systems can lead to potential security vulnerabilities or malicious activities. Returning assets can be a crucial part of your risk management process for minimising the likelihood of these occurrences, and ensuring your established access controls are in place and effective.

In addition to this, returning assets helps when maintaining an accurate inventory of assets, like for Annex A 5.9. Hardware, software, and other resources can cost your organisation a significant amount, so ensuring that these assets are kept track of can help you understand your inventory, allow you to manage resources efficiently, and reduce unnecessary expenditures for replacements. These assets can be optimised when accounting for new employees or projects, allowing your organisation to efficiently reallocate resources.

What is Annex A 5.11?

Annex A 5.11 is all about Return of Assets and encompasses the concepts above. This control wants your organisation to implement processes for the return of assets after employees or contractors leave, or when otherwise necessary. This obligation should be documented within processes addressing the return and replacement of assets, specifying exactly what assets must be returned and how these are tracked and accounted for. This ties in nicely with Annex A 5.9, where your organisation establishes a register of its assets.

The purpose of this is to protect your organisation’s information assets by ensuring that these assets do not remain in the hands of people who are unauthorised to possess them, i.e. ex-employees or contractors. Not only does this help protect against incidents, but can also help you preserve your competitive advantage by keeping such valuable information out of the hands of competitors.

So what’s changed?

ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control. In terms of the 2013 standard, this control maps directly to Annex A 8.1.4, the return of assets.

The requirements have changed very little, save for the way they have been phrased. Outside of this, the control now lists what assets could fall under the category of items to be returned when an employee or contractor has left. For example:

• User endpoint devices
• Portable storage devices
• Specialist equipment
• Authentication hardware
• Physical copies of information

How Harpe can help you implement Annex A 5.11

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Our robust asset register has everything you need to stay compliant with all ISO27001 controls, updated to the latest version of the standard. Keep records of where all your assets are so you never lose track.

We guide you through the offboarding process of employees, with the return of assets a listed task so you can take care of this control easily.

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍_{Image designed by Freepik}