Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.9 — Security of Assets Off-Premises

Updated on 5 min Reviewed by: Cenedril Editorial
A.7.9 ISO 27001ISO 27002BSI OPS.1.2.4BSI INF.8BSI INF.9BSI CON.7

A sales representative leaves their laptop in a rental car overnight. The car is broken into, the laptop is stolen. It was not encrypted. The device contained a complete customer database, pricing sheets, three months of email and saved VPN credentials. The data breach affects 12,000 customer records. A.7.9 requires that off-premises assets are protected to the same standard as on-site equipment — and that the most likely loss scenario (theft) is mitigated by encryption.

The control requires organizations to prevent loss, damage, theft or compromise of devices and information that are used outside the organization’s premises.

What does the standard require?

The core requirements address five areas:

  • Management authorization. Taking organizational assets off-premises must be authorized. This includes company-owned devices and personal devices used for work (BYOD).
  • Physical protection. Devices must be physically protected when off-site: never left unattended in public places, kept in secure locations (hotel safe, locked car trunk — briefly) and protected from environmental hazards.
  • Encryption and data minimization. Off-premises devices must use full-disk encryption. Sensitive data that is not needed for the off-site activity should be removed or not synchronized to the device.
  • Remote-wipe and tracking. Where feasible, enable remote-wipe capability and location tracking to respond to loss or theft.
  • Chain of custody. When devices are transferred between people (e.g. loaner laptops, equipment sent for repair), maintain a documented chain of custody.

In practice

Enforce encryption on all portable devices. Use BitLocker (Windows), FileVault (macOS) or equivalent. Verify encryption status through your MDM or endpoint-management platform. Block non-encrypted devices from accessing organizational resources.

Issue an off-premises usage policy. Cover: authorization requirements, physical-security expectations (never leave devices unattended, use hotel safes, avoid displaying sensitive data in public), rules for public Wi-Fi (mandatory VPN), reporting obligations for loss or theft and consequences for non-compliance.

Enable remote wipe. Configure all mobile devices and laptops for remote wipe through your MDM solution. Test the capability periodically. Define the trigger criteria: when is a remote wipe initiated?

Minimize data on portable devices. Where possible, use thin-client or virtual-desktop approaches so that data stays in the data center. If data must be local, synchronize only what is needed for the current assignment.

Handle device transfers formally. When a device changes hands — new user, repair, disposal — document the transfer: who, when, what state (encrypted, wiped, intact). This chain-of-custody log is essential for accountability.

Typical audit evidence

Auditors typically expect the following evidence for A.7.9:

  • Off-premises usage policy — the approved policy document (link to Physical Security Policy in the Starter Kit)
  • Encryption compliance report — MDM/endpoint report showing encryption status of all portable devices
  • Remote-wipe configuration — evidence that remote-wipe is enabled and tested
  • Asset register — inventory of portable devices with assigned users and off-premises authorization
  • Chain-of-custody logs — records of device transfers
  • Incident reports — documentation of lost/stolen device cases and response actions

KPI

% of off-premises assets with applied security controls and tracking

Measured as a percentage: how many of your portable devices used off-premises have (1) full-disk encryption, (2) remote-wipe capability and (3) an assigned owner in the asset register? Target: 100%. Common starting points are 70–85%, with gaps typically in BYOD devices and legacy hardware.

Supplementary KPIs:

  • Number of lost/stolen devices reported per quarter
  • Average time from loss report to remote-wipe execution
  • % of portable devices with verified encryption
  • Number of off-premises policy violations reported

BSI IT-Grundschutz

A.7.9 maps to BSI modules covering mobile and off-site usage:

  • OPS.1.2.4 (Telecommuting) — security requirements for devices used in remote-working scenarios.
  • INF.8 (Home workplace) — physical security for devices at a home office.
  • INF.9 (Mobile workplace) — security for devices used at ad-hoc locations.
  • CON.7 (Information security on business trips) — specific guidance for devices during travel: border-crossing risks, hotel security, public-transport precautions.
  • SYS.3.1 (Laptops) — technical security requirements for laptops: encryption, access control, secure configuration.

A.7.9 extends on-premises security to the mobile world:

Additional connections: A.6.7 (Remote working), A.8.1 (User endpoint devices) and A.5.14 (Information transfer).

Sources

Frequently asked questions

What counts as off-premises?

Anywhere outside the organization's controlled facilities: home offices, client sites, hotels, airports, trains, co-working spaces. Even a car parked outside the office is 'off-premises' if a laptop is inside.

Does this control apply to BYOD devices?

Yes. If a personal device is used for work purposes and accesses organizational information, it falls within the scope of A.7.9. Your off-premises security policy should address BYOD devices specifically.

What if an off-premises device is lost or stolen?

Your incident-response procedure should include steps for lost/stolen devices: remote wipe (if supported), account-password reset, assessment of data exposure and notification to the ISB. Full-disk encryption is the most important preventive measure — without it, all data on the device is exposed.