ISO27001 – Control 5.11 – Return of Assets
Control
Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
What this means
When a member of staff, contractor or supplier reaches the end of their employment or contract period, there should be a process in place to ensure that all the organisations assets are returned. This includes devices such as laptops and mobile phones as well as business paperwork (held physically or electronically).
Stating the obvious here, but to be able to ensure the return of assets on the cessation of employment or at the end of the contract, you need to know what assets have been issued to each individual. This ties in with Control 5.9, inventory of information and other associated assets.
The control requires that the organization should clearly identify and document all information and associated assets to be returned, including:
a) User endpoint devices
b) Portable storage devices
c) Specialist equipment
d) Authentication hardware (e.g., keys, tokens, smartcards) for information systems, sites, and physical archives
e) Physical copies of information.
Additionally if personnel or other parties possess knowledge crucial to ongoing operations, that information should be documented and transferred to the organization prior to the cessation of services. Effectively you need to have a handover process in place for key roles to ensure continuity of service and operations in the key personnel’s absence.
Where personnel have purchased the organisation’s equipment or used personal equipment, there should be procedures in place to ensure that the equipment is appropriately cleaned and all business information deleted prior to handover of the equipment. (Control 7.14).
During the notice period and thereafter, the organization should prevent unauthorized copying of relevant information (e.g., intellectual property) by terminated personnel.
If you want to talk about information security in your organisation then please book a free call here or email us here