Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.11 — Return of Assets

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.11 ISO 27001ISO 27002BSI ORP.2

An employee leaves the company. Three months later, IT discovers that the former employee’s laptop was never returned, a security token is still active and a shared folder password was never changed. The employee had been the sole administrator of a critical system — and nobody documented how it works. A.5.11 exists to prevent exactly this chain of oversights by requiring a structured asset return process.

Asset return is where HR, IT and information security intersect. A well-executed offboarding process protects the organisation’s information, preserves institutional knowledge and ensures that no equipment or access rights remain unaccounted for.

What does the standard require?

  • Return all organisational assets. Personnel and external parties must return all organisational assets in their possession when their employment, contract or agreement is terminated or changed.
  • Cover all asset types. The return process applies to physical assets (equipment, keys, badges), digital assets (software, data, credentials) and intangible assets (knowledge, process documentation).
  • Handle personal devices. Where personnel have used personal devices for organisational purposes, the organisation’s information must be securely transferred and then deleted from those devices.
  • Document the return. The organisation must record which assets were returned, when and by whom. Any outstanding items must be tracked and escalated.
  • Transfer critical knowledge. Departing personnel must hand over essential knowledge — system configurations, undocumented procedures, passwords — before their departure.

In practice

Create a standardised offboarding checklist. The checklist should cover: hardware return, access card and key return, software licence reassignment, data backup and handover, knowledge transfer sessions, shared credential rotation, and deletion of organisational data from personal devices.

Start early. Initiate the offboarding process as soon as the departure is confirmed. Schedule knowledge transfer sessions in the first week of the notice period, not the last day. Critical system documentation should be created before departure, with enough time for review.

Coordinate across departments. Asset return involves HR (employment records, notice period), IT (equipment, access revocation), facilities (keys, parking), the line manager (knowledge transfer, work handover) and information security (credential rotation, data handling). A central coordination point — typically HR — ensures nothing falls through the cracks.

Handle contractors and external parties. The return process applies equally to contractors, consultants and temporary staff. Include asset return clauses in contracts and ensure that the offboarding process is triggered automatically when a contract ends.

Typical audit evidence

Auditors typically expect the following evidence for A.5.11:

  • Offboarding checklist template — showing the standardised process for asset return
  • Completed offboarding records — signed checklists for departed employees confirming all assets were returned
  • Asset inventory updates — showing that assets were reassigned or decommissioned after return
  • Knowledge transfer records — documentation of handover sessions and critical information transfer
  • Outstanding item tracking — evidence that unreturned assets were followed up and resolved

KPI

% of departing employees whose assets were fully returned and documented

This KPI measures the completeness of the offboarding process. Target: 100%. Track both the total number of departures in the period and the number with fully completed asset return documentation. Any gap represents potential data leakage or unaccounted equipment.

Supplementary KPIs:

  • Average time between departure date and completion of all asset returns
  • Number of assets reported as unreturned or lost per quarter
  • Percentage of departures with documented knowledge transfer

BSI IT-Grundschutz

A.5.11 maps to the following BSI requirements:

  • ORP.2.A2 (Regulations for departure of employees) — requires a formal process for handling employee departures, including return of all organisational property and revocation of access rights.
  • ORP.4.A2 (Revocation of access rights) — mandates timely removal of all access rights when personnel leave or change roles.
  • ORP.2.A4 (Regulations for use of external personnel) — extends the same return and revocation requirements to external staff.

A.5.11 protects the organisation during personnel transitions:

Sources

Frequently asked questions

Which assets must be returned?

All organisational assets: laptops, mobile phones, access tokens, security badges, keys, documents, software licences and any removable media. If the person used personal devices for work (BYOD), organisational data must be securely transferred and then deleted from those devices.

What about knowledge transfer?

ISO 27002 explicitly mentions the transfer of knowledge as part of the return process. Departing employees who hold critical knowledge -- system configurations, passwords, process expertise -- must hand this information over in a documented way before their last day.

When should the asset return process start?

As soon as the departure or role change is confirmed. Do not wait until the last day. A structured offboarding process with milestones (e.g. knowledge transfer two weeks before, physical asset return on the last day, access revocation on departure) prevents gaps.