Control Definition
Anyone holding organizational assets — employees, contractors, or external parties — must hand them back when the employment, contract, or agreement under which they hold them ends or changes.
Control Objective
To ensure organizational assets are recovered and protected whenever an employment relationship, contract, or agreement changes or comes to an end.
What This Really Means
Offboarding is the moment part of your security perimeter walks out the door. The laptop on the kitchen table, the hardware token on a keyring, the badge in a wallet, the customer list in a personal folder — every one of them is organizational property that stops being supervised the day the relationship ends. A.5.11 asks you to run that moment as a controlled handover instead of an act of faith.
In practice the control is a reconciliation exercise. The HR event — resignation, contract end, even an internal move — triggers a checklist that pulls the person's holdings from the asset inventory (A.5.9), recovers each item, verifies its condition, revokes whatever cannot be physically returned, and updates the register. The inventory tells you what to chase; the checklist proves you chased it. Organizations that skip the reconciliation step end up asking leavers what they have, which is exactly backwards.
The assets that hurt most are the ones with no barcode. Credentials and MFA enrollments, API keys, admin rights over SaaS tenants, source-code repositories, the company's social-media accounts, and the operational knowledge that exists only in the leaver's head are all assets in the person's possession. For those, return means rotation, ownership transfer, and documented handover — not a courier box. BYOD inverts the problem: the device was never yours, so you recover the data and the access instead of the hardware.
What auditors treat as the heart of this control is traceability. They will pull names from the HR leavers list — not from IT's records — and trace each one through checklist, register update, access revocation, and the handling of anything that never came back. A process that reconciles cleanly for every sampled leaver passes; a tidy template with no completed examples does not.
Why It Matters
An unreturned asset is unsupervised attack surface. A corporate laptop on a former employee's shelf still holds cached files, saved sessions, and a VPN profile — and nobody is patching it, monitoring it, or able to say where it is. Multiply that by every informal exit over a few years and the accumulated exposure rivals a breach, except no one is looking at it.
When asset return is informal or unverified, the failure modes are predictable:
- •Data walks out the door – an unreturned laptop or USB drive carrying customer records is a dormant breach; if it surfaces later, notification duties can arrive years after the person left
- •Residual access through objects – hardware tokens, smart cards, badges, and corporate SIMs keep working until physically recovered or deactivated; disabling the account alone does not finish the job
- •Intellectual property leakage – the notice period is the highest-risk window for copying source code, customer lists, and pipeline data to personal storage
- •Inventory rot – every unreconciled exit leaves the asset register a little more wrong, making the next exit harder to verify and the next audit sample worse
- •Replacement cost and dispute – unrecovered devices are a real budget line, and without signed issuance records there is no clean basis to recover costs or hold anyone accountable
Auditors also read this control as a test of whether HR, IT, and security operate as one process or three. A failed A.5.11 sample usually signals deeper joiner-mover-leaver weakness — which is why experienced auditors sample it early.
Regional Compliance Context
India's distributed-workforce reality makes retrieval logistics the hard half of this control: leavers in cities where you have no office, devices that must move by courier, and the occasional employee who simply stops responding. The DPDP Act 2023 raises the stakes — if an unreturned device holding personal data is later compromised, that can constitute a personal data breach with intimation duties to the Data Protection Board and affected individuals, and a serious loss can fall within CERT-In's 6-hour incident-reporting window for India-connected systems. Fleet-wide encryption and MDM remote wipe convert most of that risk into a paperwork exercise.
Indian HR practice already provides a useful lever: clearance certificates and full-and-final settlement are routinely conditioned on return of company property where employment contracts provide for it. Gulf organizations have an equivalent checkpoint in end-of-service processing, and the Saudi and UAE PDPL regimes raise the same breach considerations when personal data sits on unrecovered devices.
Implementation Guidance
Anchor the exit process to the asset inventory
When notice is given or a contract end date is set, generate the person's holdings from the asset register, MDM enrollment, SSO application assignments, and procurement records. The merged list — not the leaver's memory — defines what must come back. Reconcile it against signed issuance acknowledgments so disputes are settled by records, not recollection.
Run exits through a joiner-mover-leaver checklist with named owners
Make HR the trigger, IT the executor, and the line manager the verifier: resignation and contract-end events should fire the checklist automatically through the HRMS or ticketing system. Define what happens on notice day (knowledge-transfer kickoff, heightened monitoring where lawful), the last working day (device and badge collection, access revocation), and the day after (reconciliation and sign-off). Include movers — internal role changes often require partial return of equipment and access.
Define the full scope of returnable assets — including intangibles
List every returnable category in the checklist: endpoint devices, phones and SIMs, removable media, access cards, hardware tokens, printed material, and specialist equipment, plus the intangibles — account access, MFA enrollments, API keys, repository and SaaS admin rights, domain and social-media accounts, and documentation. For credentials and shared secrets the leaver could know, return means rotation or ownership transfer. Write the intangible items into the template so coverage stops depending on whoever happens to run the exit.
Capture knowledge and work products during the notice period
For critical roles, begin structured knowledge transfer the day notice is given: runbooks written or updated, open work documented, vendor and customer contacts handed over, and cloud documents moved from personal workspaces to team spaces. Collect work products stored locally or in personal folders before the last day. The notice period is also the highest-risk window for IP copying, so apply proportionate, lawful monitoring of bulk downloads and large outbound transfers.
Prepare remote-retrieval logistics before you need them
Decide in advance how devices come back from remote staff: prepaid, tamper-evident courier kits dispatched on notice day, regional collection points where you have offices, and serial-number plus condition verification photographed on receipt. Set a return deadline and track it like any other ticket. Where recovery fails, remote lock and wipe through MDM is the compensating control — which only works if every device was enrolled and encrypted from day one.
Define and enforce the non-return escalation path
Set the escalation ladder for non-return: structured reminders, manager escalation, linking clearance certificates and final settlement to asset return where the contract and local employment law allow, then account disablement, remote wipe, and cost recovery. Decide the threshold at which an unreturned device holding sensitive data becomes a security incident with its own assessment. Record the outcome either way — a documented loss with a wipe log is defensible; an untracked one is a finding.
Verify, close the loop, and measure recovery
Close each exit with a signed checklist, a same-week asset register update, and quarantine of returned devices pending sanitization under A.7.14 before reissue. Reconcile the HR leavers list against the register quarterly to catch silent gaps. Report recovery rate and average time-to-recover into management review so the process gets resourced like the control it is.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.5.11:
Documentation
- Offboarding or exit checklist template, plus completed checklists for a sample of recent leavers
- Asset register extracts showing per-person assignments and dated return status, linked to A.5.9 records
- Signed asset issuance and return acknowledgments, or equivalent ticket trails
- MDM remote-lock and wipe logs for devices that could not be physically recovered
- Escalation records for non-returned assets — reminders, settlement holds, incident tickets, or documented risk acceptances
Interviews
- HR manager on how resignations, contract ends, and role changes trigger the asset recovery workflow
- IT asset manager on how a leaver's holdings are established and how returns are reconciled with the register
- A line manager who recently processed a leaver, on knowledge handover and how return was confirmed
Observations
- Auditor samples names from the HR leavers list and traces each through checklist, register update, and access revocation
- Live view of the MDM or ITAM console showing the current status of recent leavers' devices
- Inspection of the storage or quarantine area where returned devices await sanitization and reissue
Practitioner Insights
A pattern I see across audits: the exit checklist looks immaculate, then I pick five leavers from the HR list and the asset register disagrees for two of them — a laptop still assigned, a token never recovered, a SaaS admin role still active. This control is sampled from HR data, never from IT's, because IT's records only contain the exits IT knew about. The other consistent blind spot is intangibles — cloud tenancies, repositories, shared credentials — which appear on no checklist because nobody owns them as assets. If your leavers list reconciles cleanly against your register for the last twelve months, this control will hold; if you have never run that reconciliation, run it before the auditor does.
For remote-first startups the honest problem is logistics, not policy — the leaver is in another city and the laptop sits in a flat you have no right to enter. Make the practical kit part of the control: full-disk encryption and MDM enrollment from day one, a prepaid tamper-evident courier pack that ships the day notice is given, and a photo-and-serial check when the box arrives. Then keep the trail — the remote-wipe log for the one device that never came back is precisely the artifact the auditor will ask to see. Teams that prepare this at onboarding barely notice exits; teams that improvise at exit lose devices and evidence at the same time.
Common Challenges & Solutions
Challenge
A remote employee resigns and their laptop is in another city — or another country — with no office nearby.
Solution
Build retrieval logistics into onboarding, not offboarding: every remote device ships with full-disk encryption and MDM enrollment, so non-return degrades into a financial problem instead of a data exposure. On notice day, dispatch a prepaid, tamper-evident courier kit with a firm return deadline, track it like a ticket, and verify serial number and condition on receipt. Where the device cannot be recovered, execute remote wipe and record it as the compensating action.
Challenge
The asset register doesn't match what the person actually holds, so nobody knows what to chase.
Solution
Reconcile at the moment of exit using every source available: the A.5.9 register, MDM and SSO inventories, procurement records, and the line manager's knowledge. Recover against the merged list, then correct the register as part of closure — each exit should leave the inventory more accurate, not less. If gaps keep recurring, fix issuance: assets handed out without a register entry are the root cause.
Challenge
Intangible assets — credentials, cloud tenancies, API keys, domain and social accounts — are forgotten because they aren't physical things.
Solution
Add a standing intangibles section to the exit checklist: rotate shared secrets and API keys the person could know, transfer ownership of repositories, SaaS admin roles, domains, and social accounts, and remove MFA enrollments. Drive the list from SSO and password-manager data rather than memory. Treat any credential the leaver could plausibly retain as compromised until rotated.
Challenge
An employee leaves on bad terms — or simply disappears — and refuses to return equipment.
Solution
Prepare the levers in advance: issuance acknowledgments signed at handover, contract clauses covering return and cost recovery, and clearance linked to final settlement where employment law permits. Operationally, disable accounts immediately, remote-wipe the device, and assess whether the unreturned data warrants treating the situation as a security incident. Document the residual risk and management's acceptance — auditors accept losses, not silence.
Challenge
Knowledge walks out the door — the departing person is the only one who knows how a critical system runs.
Solution
Treat operational knowledge as a returnable asset. For critical roles, start a structured handover at notice: runbooks written or updated (A.5.37 territory), credentials and vendor relationships transferred, and a named successor shadowing before the last day. Where notice periods are short, prioritize the systems on your business-continuity critical list and accept documented gaps for the rest.
