Introduction

When an employee leaves the company or a contractor finishes their project, their access to company assets should end immediately and all assets should come home.

But here’s the reality:
Laptops get “forgotten” in home offices. USB drives stay in drawers. Cloud accounts remain active long after a person’s departure. This creates a hidden security risk that attackers (or even careless mistakes) can exploit.

ISO 27001 Control 5.11 makes sure this doesn’t happen requiring organizations to recover all assets when someone’s relationship with the company ends.

✅ Summary of Control 5.11: Return of Assets

🔒 Control Title: Return of Assets
📘 Source: ISO/IEC 27002:2022, Section 5.11
🧩 Control Category: Organizational
🔍 Attributes:

• Control Type: #Corrective / #Preventive
• Security Properties: #Confidentiality, #Integrity, #Availability
• Cybersecurity Concepts: #Protect, #Recover
• Operational Capabilities: #Asset_Management, #Offboarding
• Security Domain: #Protection_and_Defense

🎯 Control Objective

To ensure that all information and associated assets provided to personnel, contractors, and third parties are returned or securely disposed of when their employment or contract ends.

🛠 Implementation Guidance

1)  Include Asset Return in Offboarding Procedures:

• Build return-of-assets into HR’s exit checklist
• Coordinate with IT, Facilities, and Security teams

2) Maintain an Asset Assignment Log:

• Track which assets each person has (laptops, phones, ID badges, access cards, keys, documents, etc.)

3) Revoke Digital Access Immediately:

• Disable accounts, VPN access, and cloud logins on or before the last working day

4) Verify and Acknowledge:

• Have the departing person sign a return confirmation or asset clearance form

5) Securely Wipe and Reassign Assets:

• Erase data before redeploying devices
• Follow secure disposal processes for outdated equipment

📌 Why This Control Matters

Failure to collect assets and revoke access can result in:

• Data breaches from forgotten accounts
• Loss of sensitive information stored on devices
• Unauthorized access to buildings or systems
• Regulatory compliance failures

A robust asset return process:

• Closes security gaps during transitions
• Protects intellectual property and customer data
• Demonstrates good governance to auditors and partners

🔍 Common Pitfalls to Avoid

• Not keeping an updated list of who has which assets
• Forgetting about non-physical assets like software licenses or cloud accounts
• Waiting too long to disable access after someone leaves
• Relying on informal “trust” without formal confirmation

💡 Canadian Cyber’s Take

At Canadian Cyber, we integrate Return of Assets into a secure offboarding process that covers both physical and digital property.
We ensure nothing from a building key to an API credential slips through the cracks.

🚀 Ready to Lock the Door Behind Departing Staff?

We can help you implement an airtight asset return and account deactivation process that meets ISO 27001 requirements and protects your organization.
👉 Click here to start securing your offboarding process.

• Share the blog on: