Skip to contentCYBERINFO
|

Control 5.11 : Return of Assets

Summary

Personnel and other interested parties must return all the organization's assets in their possession upon termination of their employment, contract, or agreement. This prevents data leakage and ensures that physical hardware is reclaimed by the organization.

Applicability

In-Scope: Mandatory for managing the offboarding process. It is critical for maintaining the integrity of the asset inventory and ensuring that company data does not remain on personal or unmanaged devices.

Out-of-Scope: Only potentially reducible for organizations with no physical assets or where no data is ever stored on local devices, which is rare.

Implementation Guidance

Microsoft 365 / Entra ID

  • Offboarding Checklist: Use Microsoft Forms or a SharePoint List to create a standardized offboarding workflow that includes a Return of Assets sign-off.

  • Device Management: Use Microsoft Intune to perform a Remote Wipe or Retire command on company-managed devices to ensure data is removed before the hardware is returned.

  • Access Revocation: Automate the disabling of Entra ID accounts as part of the asset return process to ensure all digital access is severed simultaneously.

Evidence Checklist

  • Offboarding Records: Completed checklists for recently departed staff showing that laptops, keys, and ID cards were returned.

  • Termination Policy: A documented policy stating the requirement for returning assets upon the end of a contract.

  • Data Removal Confirmation: Evidence that company data was successfully wiped from personal devices (if BYOD was allowed).

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization track which assets are currently in the possession of each employee or contractor?

  • What is the escalation process if an individual fails to return company assets within the required timeframe?

  • How do you ensure that all digital assets (like proprietary code or local copies of files) are also accounted for during offboarding?

  • Can you show a recent example of a completed offboarding file where all assets were successfully reclaimed and recorded?