Security of Off-Site Assets
Ensure assets used outside the office are protected from theft or loss.
Plain language
This control is about making sure that any company devices used outside the work premises, like laptops or phones, are protected from being lost, stolen, or damaged. It matters because if these devices are not secure, sensitive company information could fall into the wrong hands or be lost, which could lead to financial loss or damage to the company's reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Off-site assets shall be protected.
Why it matters
Lost or stolen off-site assets can lead to significant data breaches, risking sensitive data exposure and financial loss.
Operational notes
Regularly verify off-site devices have current encryption, remote wipe and tracking enabled to reduce theft or loss risk.
Implementation tips
- The IT manager should develop a policy stating how company devices should be used and secured when taken off-premises. This includes not leaving devices unattended in public places and ensuring secure passwords are in use. They should communicate these guidelines clearly to all staff.
- HR should organise regular training sessions for employees on how to keep their devices safe outside the office. This can include practical tips such as being aware of surroundings to avoid 'shoulder surfing' and the risks of logging into public Wi-Fi networks.
- The procurement team should ensure all portable devices have the capability for remote wiping and tracking enabled. This can be achieved by coordinating with the IT manager to check specifications before purchasing new devices.
- Device owners should follow manufacturer guidelines for physical protection of equipment. This includes using protective cases and screens, storing devices away from water or excessive heat, and contacting IT if unsure how to protect their device.
- Management should require employees to log and get approval before taking devices outside the office. A simple form can be used to track who takes what device where, ensuring there is an accountable trail if a device goes missing.
Audit / evidence tips
-
Askthe organisation's policy on the use and security of off-site devices
Gooda comprehensive policy that aligns with ISO 27002:2022 guidelines
-
Askto see training records for employees on device security
Goodregular, updated trainings attended by all relevant staff
-
Askrecords of devices authorised to be taken off-site
Gooda well-maintained log that reflects recent device movements
-
Askto see how the organisation tracks and manages the location and status of off-site devices
Gooda reliable system where devices can be tracked and wiped if necessary
-
Askabout the protective measures applied to off-premise permanent installations
Goodtailored protection that mitigates the specific risks of each location
Cross-framework mappings
How Annex A 7.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1400 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices used to... | |
| ISM-1554 | ISM-1554 addresses protecting mobile devices used off-site during overseas travel to high or extreme risk countries by mandating dedicate... | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0457 | Annex A 7.9 requires organisations to safeguard assets taken off-site | |
| ISM-0465 | Annex A 7.9 involves protecting assets outside organisational premises | |
| handshake Supports (2) expand_less | ||
| ISM-0161 | Annex A 7.9 requires that off-site assets be protected against loss, theft, or damage | |
| ISM-1314 | Annex A 7.9 mandates protection of off-site assets, including secure connectivity for wireless devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.