ISO 27001 Control 5.11: Return of Assets
When employees leave, assets often walk out the door with them—creating security gaps and compliance failures. ISO 27001 5.11 requires organizations to establish and enforce asset return procedures before employment ends. This control protects your intellectual property, hardware, and data from loss or unauthorized access.
What this means
Control 5.11 mandates that your organization implement a formal process ensuring all company assets are returned by departing personnel, contractors, and other authorized users. This includes physical assets (laptops, phones, access badges), digital assets (accounts, credentials, licenses), and confidential materials. The return must occur upon employment termination, contract completion, or agreement changes. Your process should document what assets were issued and confirm receipt of their return before final separation.
How to comply
- 1.Create an asset inventory linked to each employee or contractor, documenting all issued items (hardware, software licenses, access credentials, physical keys)
- 2.Define asset return procedures in employment contracts and termination policies, specifying timelines and responsible parties
- 3.Implement a checklist or tracking system for exit processes that confirms return of all assets before final paycheck or contract closure
- 4.Conduct exit interviews that include asset reconciliation and document any missing or damaged items
- 5.Establish accountability measures for unreturned assets, including recovery procedures or cost deductions where legally permissible
- 6.Train HR and IT staff on asset return requirements and integration with offboarding workflows
- 7.Maintain signed records proving asset return completion for audit and dispute resolution
Evidence auditors look for
- Asset register showing issuance date, recipient, and return date for each item
- Employee handbook section detailing asset return obligations and consequences
- Exit interview forms signed by departing employees confirming asset return
- IT tickets or system logs documenting account deactivation and credential revocation
- Equipment return receipts or certificates of destruction for decommissioned assets
- Termination checklists completed by HR with asset return sign-off
- Records of follow-up actions for unreturned assets (invoices, legal notices, recovery attempts)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates asset tracking and exit workflows, generating compliance checklists that ensure assets are returned before account deactivation—eliminating manual verification gaps and creating audit-ready evidence for 5.11.
See how GRCWatch handles this control automatically
Start free trial