This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.7.9 Security of assets off-premises.
ISO 27001: 2022 Control Description
Off-site assets shall be protected.
Purpose
To prevent the loss, damage, theft, or compromise of off-site devices and to avoid interruptions to the organisation’s operations.
Guidance on implementation
Any device used outside the organisation’s premises that stores or processes information (e.g. mobile devices), including devices owned by the organisation and privately-owned devices used on behalf of the organisation aka bring your own device (BYOD), requires protection. The use of these devices should be authorised by management.
The following guidelines should be considered for the protection of devices that store or process information outside the organisation’s premises:
a) Avoid leaving equipment and storage media taken off-premises unattended in public or unsecured places;
b) Always adhere to manufacturers’ instructions for protecting equipment (e.g. protection against exposure to strong electromagnetic fields, water, heat, humidity, dust);
c) When off-premises equipment is transferred between individuals or interested parties, maintain a log that defines the chain of custody for the equipment, including at least the names and organisations of those responsible for it. Any information that does not need to be transferred with the asset should be securely deleted before the transfer;
d) Where necessary and practical, require authorisation for equipment and media to be removed from the organisation’s premises, and keep a record of such removals to maintain an audit trail;
e) Protect against the risk of viewing information on a device (e.g. mobile or laptop) in public places, such as on public transport, and the risks associated with shoulder surfing;
f) Implement location tracking and the capability for remote wiping of devices.
Permanent installation of equipment outside the organisation’s premises (e.g. antennas and ATMs) may be subject to higher risks of damage, theft, or eavesdropping. These risks can vary significantly between locations and should be considered when determining the most appropriate measures. The following guidelines should be considered when siting such equipment outside the organisation’s premises:
a) Physical security monitoring;
b) Protection against physical and environmental threats;
c) Physical access and tamper-proof controls;
d) Logical access controls.