Skip to content
AuditFront
A.7.9 ISO 27001

ISO 27001 A.7.9: Security of assets off-premises

What This Control Requires

Off-site assets shall be protected.

In Plain Language

A laptop left on the back seat of a car, a USB drive in a coat pocket at a conference, a stack of client files in a home office with no lock on the door - the moment assets leave your premises, you lose most of the physical controls you have worked so hard to set up. This control is about making sure those assets are still protected.

Off-premises assets face theft, loss, damage during transport, harsh environmental conditions, and the risk of someone reading your screen on a train. The protections you put in place need to address all of these, and they need to be proportionate to the value and sensitivity of the information involved.

With hybrid and remote working now standard, this control has become significantly more important. Auditors will want to see that you have clear rules covering how assets are transported, stored at off-site locations, and used in public spaces - and that those rules are actually followed.

How to Implement

Write a policy for protecting off-premises assets. Cover every type of asset that leaves the building and define what protection each one needs.

For laptops and mobile devices: require full-disk encryption on every portable device, deploy MDM with remote wipe capability, enforce strong authentication (PIN, password, biometric), install endpoint protection that works offline, insist that devices are kept with the person or in locked storage when not in use, ban leaving devices in vehicles (visible or hidden - car boots are not secure), provide cable locks for hotel rooms and temporary locations, and disable Bluetooth and Wi-Fi auto-connect.

For portable storage media: encrypt all removable media containing organisational data, label media with an emergency contact number (without revealing what is on it), transport in locked containers, use tamper-evident packaging for shipments, log what goes off-site and when, and seriously consider banning removable media altogether in favour of encrypted cloud sharing.

For paper documents: transport sensitive papers in sealed envelopes or locked bags, do not read confidential documents on public transport, store them in locked storage at the off-site location, return or securely destroy them when they are no longer needed, and push digital alternatives wherever possible to reduce the need for physical documents in the first place.

For equipment in transit between locations: use proper packaging to prevent damage, maintain chain of custody records, use tracked shipping for valuable items, verify everything is intact on receipt, and plan secure shipping routes.

Set up a clear process for lost or stolen assets. Staff must report losses immediately through a defined channel. The response should include remote wipe, assessment of what data was exposed, notification of affected parties if sensitive data may be compromised, and asset replacement. Keep a register of assets taken off-premises so you know what is out there at any given time.

Evidence Your Auditor Will Request

  • Policy for protection of off-premises assets
  • Encryption configuration records for portable devices
  • MDM deployment records showing remote wipe capability
  • Register of assets taken off-premises
  • Records of lost or stolen asset reports and response actions

Common Mistakes

  • Portable devices are not encrypted increasing risk from theft or loss
  • No remote wipe capability for devices taken off-premises
  • No policy governing how off-premises assets should be protected
  • Personnel leave devices unattended in vehicles, hotel rooms, or public places
  • Lost devices are not reported promptly delaying incident response

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.4 Partial overlap
SOC 2 CC6.7 Partial overlap
GDPR Art.32 Related

Frequently Asked Questions

What should an employee do if their laptop is stolen?
Report it immediately - to the IT security team and to local police. Speed matters here. IT should trigger a remote wipe, revoke device certificates and access tokens, assess what data was on the device and what systems it could reach, force password resets on all the user's accounts, and determine whether breach notification is required. If the disk was encrypted with a strong passphrase, the data exposure risk drops dramatically, which is exactly why full-disk encryption is non-negotiable for portable devices.
Should we allow organizational data on personal devices taken off-premises?
If you allow BYOD, you need proper controls: containerisation to keep organisational data separate, MDM on the work partition, mandatory encryption, remote wipe that only touches organisational data, and minimum security baselines for the device itself. Even with all of that, many organisations draw the line at highly sensitive data - client financials or personal data should not be on someone's personal iPad regardless of the controls in place. Make a clear decision based on your data classification and document it.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment