ISO 27001 A.5.11: Return of assets
What This Control Requires
Personnel and other interested parties as appropriate shall return all the organization's assets in their possession upon change or termination of their employment, contract or agreement.
In Plain Language
When someone leaves your organisation or changes role, you need to get everything back - and you need a process that actually ensures it happens. Laptops, phones, access badges, keys, documentation, and any company data on personal devices all need to be accounted for. Without a proper asset return process, former employees walk away with equipment, retain access to sensitive information, and software licences go unaccounted for. This is one of those controls that sounds simple but causes real pain when it is missing. An auditor sampling your leavers list against your asset inventory will spot gaps immediately. The process also applies to internal role changes, not just departures. Someone moving from finance to marketing may no longer need the assets and access they had before. Your asset inventory from A.5.9 should track what has been issued to whom, and the return process should be tightly integrated with HR offboarding.
How to Implement
Build a formal asset return process into your HR and IT offboarding workflows. Create a standardised checklist of everything that must be returned or revoked, then tailor it for each departing individual based on what they were actually assigned. Cover: physical equipment (laptops, phones, tablets, monitors, peripherals), access credentials (badges, keys, tokens, smart cards), documentation and records (physical and electronic), removable media, software and licences, company credit cards, organisational data on personal devices, and cloud service accounts or shared credentials. Link asset return to access revocation. When equipment comes back, access rights should be revoked at the same time. Securely wipe organisational data from returned equipment before reassigning it. For remote workers or contractors in different locations, set up shipping procedures and verify receipt. Include provisions for remote wiping of mobile devices and deactivation of VPN access. Set clear deadlines for return and make the consequences of non-compliance explicit. Document every return: date, items returned, condition, and signatures from both parties. Track outstanding items and escalate through appropriate channels. Include asset return obligations in employment contracts and NDAs so you have a legal basis for enforcement. Periodically reconcile your asset inventory against your current personnel list. If former staff still appear as asset holders, you have a process gap to fix.
Evidence Your Auditor Will Request
- Asset return checklists completed for recent departures and role changes
- Records confirming return of all assigned assets for each departing individual
- Integration of asset return into HR offboarding workflow documentation
- Employment contract or agreement clauses covering asset return obligations
- Reconciliation records showing no outstanding unreturned assets from former personnel
Common Mistakes
- No formal asset return process integrated into offboarding procedures
- Asset return checklist does not cover all asset types including logical assets
- No reconciliation between the asset inventory and personnel changes
- Remote workers retain equipment for extended periods after departure
- Data on returned equipment is not securely wiped before reassignment
Related Controls Across Frameworks
Frequently Asked Questions
What should we do if a departing employee refuses to return assets?
How do we handle BYOD scenarios where company data is on personal devices?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment