Control 7.9 : Security of Assets Off-Premises

Summary

Off-premises assets should be protected, considering the different risks of working outside the organization's premises. This focuses on hardware like laptops and mobile devices used in the field or in remote work environments.

Applicability

In-Scope: Mandatory for any organization with a mobile or remote workforce, addressing the high risk of theft or loss in public spaces.

Out-of-Scope: Only applicable if no company assets are ever allowed to leave the physical office.

Implementation Guidance

Microsoft 365 / Entra ID

• Encryption: Use Microsoft Intune to enforce BitLocker (Windows) and FileVault (Mac) encryption on all portable assets.

• Remote Wipe: Ensure the capability to perform a full wipe or retire command via Intune if a device is reported stolen.

• Tracking: Enable device location features through Entra ID to assist in the recovery of lost company hardware.

Evidence Checklist

• Mobile Device Policy: Rules defining the responsibilities of staff when carrying company equipment off-site.

• Encryption Reports: Logs from Intune proving that 100% of portable assets have active disk encryption.

• Incident Reports: Records of actions taken when a device was lost or stolen in the past.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the required timeframe for an employee to report a lost or stolen laptop?

• How do you ensure that company data cannot be accessed if a laptop is stolen while in a sleep or idle state?

• Is there a policy regarding leaving company equipment in unattended vehicles or hotel rooms?

• Can you demonstrate the process for remotely wiping a device that is no longer in the organization's physical control?