GRCWatch
Sign inStart free trial

ISO 27001 Control 7.9: Security of Assets Off-Premises

When employees work remotely or travel with company devices and data, your security perimeter extends beyond the office. Control 7.9 requires you to implement physical and logical safeguards for all assets that leave your premises. Without proper controls, off-site equipment becomes a vulnerability—and a compliance gap that auditors will catch.

What this means

This control mandates that any company asset removed from your physical location must be protected through both physical measures (encryption, locks, secure containers) and logical controls (access restrictions, remote wipe capabilities). The risk isn't just theft—it includes accidental loss, damage during transport, and interception of sensitive data. The control applies to laptops, mobile devices, USB drives, documents, and any other asset containing confidential information.

How to comply

  1. 1.Classify assets by sensitivity and define which can leave the premises under what conditions
  2. 2.Implement full-disk encryption on all portable devices (laptops, tablets, USB drives)
  3. 3.Require VPN connections for remote access to company systems and data
  4. 4.Deploy mobile device management (MDM) or endpoint detection and response (EDR) tools with remote wipe capabilities
  5. 5.Establish a check-out/check-in process for physical assets with ownership tracking
  6. 6.Provide secure transport containers (faraday bags, locked cases) for high-risk assets
  7. 7.Require multi-factor authentication for access to sensitive data on portable devices
  8. 8.Define and communicate an off-premises asset policy that covers travel, home offices, and temporary work locations
  9. 9.Conduct regular audits to verify all off-site assets are accounted for and compliant
  10. 10.Train employees on handling, transport, and storage of company assets outside the office

Evidence auditors look for

  • Asset inventory log showing which devices are off-premises and their encryption status
  • Full-disk encryption configuration reports from all laptops and portable devices
  • MDM/EDM policy documentation with remote wipe and access restriction rules
  • VPN access logs demonstrating employees use secure connections from remote locations
  • Off-premises asset security policy signed by employees
  • Audit trail of device check-outs and check-ins
  • Screenshots of MFA configuration on portable devices
  • Training records showing staff completed off-premises asset security awareness
  • Third-party penetration test reports validating encryption and access controls
  • Incident response logs for any lost or stolen assets

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates off-premises asset tracking and compliance monitoring—automatically flag unencrypted devices, verify VPN/MFA status on remote assets, and generate audit-ready evidence logs without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.10 — EncryptionISO 27001 6.1 — Mobile Device ManagementISO 27001 6.2 — Remote WorkingISO 27001 8.1 — User Endpoint DevicesISO 27001 7.10 — Storage Media