This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.11 Return of assets
ISO 27001: 2022 Control Description
Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
Purpose
The change or termination process should be formalised to include the return of all previously issued physical and electronic assets owned by or entrusted to the organisation.
Guidance on implementation
In cases where personnel and other interested parties purchase the organisation’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organisation and securely deleted from the equipment.
In cases where personnel and other interested parties have knowledge that is important to ongoing operations, that information should be documented and transferred to the organisation.
During the notice period and thereafter, the organisation should prevent unauthorised copying of relevant information (e.g. intellectual property) by personnel under notice of termination.
The organisation should clearly identify and document all information and other associated assets to be returned which can include:
a) user endpoint devices;
b) portable storage devices; c) specialist equipment;
d) authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives;
e) physical copies of information.
It can be difficult to return information held on assets which are not owned by the organisation. In such cases, it is necessary to restrict the use of information using other information security