Control Definition
Any asset that stores or processes information — devices, media, or other equipment — must be protected whenever it is used or kept outside the organization's premises, with safeguards that account for the different risks of operating off-site.
Control Objective
To prevent the loss, damage, theft, or compromise of assets located outside the organization's premises, and the interruption of operations that depend on them.
What This Really Means
Every other control in the A.7 family protects a place — perimeters, entry points, offices, secure areas. A.7.9 protects the things that leave the place. The moment a laptop goes into a backpack, your physical perimeter stops being a wall and becomes a human being and their habits. This control exists because that perimeter is far easier to breach: a car window, a moment of distraction at an airport gate, a bag left on a train.
In practice the control asks for four things. First, rules: which assets may leave the premises, who authorizes it, and what users must do while custody is theirs. Second, visibility: knowing at any moment who has what and roughly where — which is your asset register (A.5.9) doing live duty, backed by MDM check-in data rather than memory. Third, protection that travels with the asset: full-disk encryption, automatic screen lock, remote wipe, so the safeguards do not depend on the environment the asset lands in. Fourth, behavioral discipline for public spaces: vehicles, cafes, hotels, client sites, and transit.
The scope is wider than the laptops everyone thinks of. Home-office equipment has been off-premises for years at a stretch and quietly drops out of view. Loaner and demo hardware moves between hands without records. Backup media travels between sites. Field-deployed equipment — kiosks, sensors, point-of-sale terminals, network gear in third-party locations — lives permanently in places you do not control and gets inspected only when something breaks.
What auditors treat as the heart of this control is reconciliation and response speed. Expect two tests, stated or unstated: pick a serial number from the register and say where that asset is right now and who holds it; and walk through exactly what happens in the first 24 hours after a device is reported stolen. Organizations that can answer both from records pass; organizations that answer from recollection do not.
Why It Matters
Lost and stolen portable devices are among the most common physical security incidents any organization experiences — not exotic, just constant. The economics are badly asymmetric: the hardware is the cheapest thing involved. What matters is the data on the device, the sessions and credentials cached in it, and the corporate access it can still reach when it powers on in someone else's hands.
Your posture on this control decides whether a loss is an inconvenience or a crisis. An encrypted, MDM-enrolled laptop reported within an hour is a hardware write-off and a short incident record. The same laptop unencrypted and reported three days later is a data breach with notification obligations, client questions, and no way to bound the exposure.
- •Unencrypted loss becomes a reportable breach – without full-disk encryption, a stolen laptop converts a property crime into a notifiable data incident with regulator, client, and contractual consequences.
- •No custody record means no scoping – if you cannot say what was stored on or accessible from a missing device, you must assume the worst — and regulators and customers will too.
- •Slow reporting closes the response window – remote wipe, session revocation, and credential rotation only help before a thief disables connectivity; a report that arrives days late leaves you with damage assessment only.
- •Home offices drift into unmanaged sites – equipment issued at onboarding becomes invisible over time: never reconciled against the inventory, never patched with the fleet, never recovered at exit.
- •Field equipment is an unattended attack surface – kiosks, sensors, and payment terminals sit in locations you do not control, where tampering or substitution can go unnoticed for months.
Regional Compliance Context
India's distributed-workforce and field-operations reality makes this control operational, not theoretical: devices move between metros, tier-2 cities, and client sites constantly. If a lost device holds personal data, the DPDP Act 2023 puts breach intimation duties to the Data Protection Board and affected individuals on the table, and a serious compromise involving India-connected systems can fall within CERT-In's 6-hour incident-reporting window. A police FIR filed promptly is both standard practice for insurance recovery and useful evidence that you treated the loss seriously.
Organizations in the Gulf face the same calculus under the Saudi PDPL and the UAE federal PDPL — personal data on an unrecovered device is a potential notifiable breach in both regimes. In all of these jurisdictions, fleet-wide encryption plus remote wipe is what converts a lost laptop from a legal event into a logistics event.
Implementation Guidance
Set the rules for assets leaving the premises
Define in policy which asset categories may go off-site, whether authorization is standing (assigned laptops and phones) or case-by-case (servers, bulk media, specialized equipment), and what users owe you while custody is theirs. Fold this into your mobile-device or remote-working policy rather than creating a new document, and capture acknowledgment from everyone it applies to.
Track custody through the asset inventory
Extend the A.5.9 register with an assignee and a location class for every portable asset — office, home, field, in transit. Use MDM last-check-in data as the living evidence of where devices actually are, and run a monthly or quarterly reconciliation between the register and MDM enrollment with a named owner chasing discrepancies. A device that has not checked in for 30 days should generate a ticket, not a shrug.
Make protection travel with the device
Enforce full-disk encryption, automatic screen lock, and MDM enrollment with remote wipe and locate on everything portable — this is where A.7.9 hands off to A.8.1. For removable media leaving the building, issue hardware-encrypted drives only. The goal is that no safeguard depends on the environment the asset ends up in.
Drill public-space and transit discipline
Set concrete behavioral rules: devices are never left unattended in vehicles, are stowed out of sight before departure rather than at the destination, travel as carry-on rather than checked luggage, and get privacy screens for work in public places. Teach this with short scenario-based sessions — the parked car, the hotel room, the conference hall — because behavioral rules in policy prose change nothing.
Bring home offices into scope
Record monitors, docking stations, printers, and other equipment issued for home use at the moment of issuance, with serial numbers against the employee's name. Run an annual self-attestation where staff confirm what they hold, and give practical guidance on household access — work devices are not family devices. Accurate issuance records are also what make the exit and return-of-assets process recoverable instead of forensic.
Protect field-deployed and unattended equipment
For kiosks, sensors, point-of-sale terminals, and network gear in third-party locations, use tamper-evident enclosures and physical anchoring, keep locally stored data minimal, and give each unit a certificate-based identity so a stolen device can be de-authorized centrally. Record custody transfers when partners host your equipment, and add a physical inspection to routine site visits.
Wire loss and theft into incident response
Provide a 24/7 reporting channel and state plainly — in policy and in training — that fast reporting is never punished. Maintain a first-hours runbook: remote wipe, revoke sessions and tokens, rotate credentials, assess what data and access were on the device, file a police report where appropriate, and record the breach-notification decision with its rationale. Track time-to-report as a metric; this is where A.7.9 and A.6.8 meet.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.9:
Documentation
- Policy section covering off-premises use of assets, with authorization rules and user responsibilities
- Asset register showing assignee and location status for portable assets, reconciled against MDM enrollment
- MDM compliance reports evidencing encryption, screen lock, and remote-wipe capability across the fleet
- Sign-out log for loaner, demo, and shared equipment with serial numbers, dates, and signatures
- Incident records for lost or stolen assets showing report time, wipe action, credential revocation, and outcome
Interviews
- IT or asset manager about how off-premises custody is tracked and how register-to-MDM reconciliation works
- A remote or field employee about the rules they follow in transit and how they would report a stolen device
- Incident response lead about the lost-device runbook, wipe authority, and time-to-report expectations
Observations
- Live lookup of sampled serial numbers from the register to current MDM location and check-in status
- Inspection of a sample laptop for enforced full-disk encryption and automatic screen lock
- Walkthrough of a recent lost or stolen device ticket from first report to closure
Practitioner Insights
The way I probe this control is simple: I pick five serial numbers from the asset register and ask where each device is right now. Mature organizations answer from the MDM console in two minutes; everyone else starts emailing people. The control fails in the gap between the register and reality, so the discipline that matters is a monthly reconciliation of inventory records against MDM check-ins, with a named owner chasing every unexplained entry. A device that has not phoned home in thirty days with nobody noticing is the finding — regardless of how well the policy reads.
Assigned laptops are usually the well-managed part. What bites is the unassigned hardware — demo units, event kit, spare phones in a drawer, the projector someone took home in March. A simple sign-out log with serial numbers and dates closes most of that gap for almost no cost. The other pattern I keep seeing is late loss reports, and the root cause is fear: people sit on a stolen-bag incident for days hoping it resolves itself. Say explicitly, in policy and in training, that fast reporting is never punished — every response option you have decays by the hour.
Common Challenges & Solutions
Challenge
At any given moment, nobody can say which assets are off-premises, who holds them, or where they are.
Solution
Add assignee and location-class fields to the asset register and treat MDM last-check-in as the live source of truth. Reconcile the two monthly with a named owner, and route every stale check-in into a ticket. For non-managed items — loaners, demo gear — run a sign-out log so custody is always written down somewhere.
Challenge
Policy forbids leaving devices in vehicles, yet laptops keep getting stolen from parked cars.
Solution
Replace policy prose with scenario training: the parked car, the airport, the hotel room. Make the rule mechanical — stow the bag before departure, never at the destination, and never overnight in a vehicle. After any near miss, reinforce with a short, blameless all-hands note; repeated violations become a management conversation, not another training assignment.
Challenge
Home-office equipment issued at onboarding disappears from view — untracked, unpatched, and unreturned at exit.
Solution
Record every home-issued item with serial numbers at issuance and keep compute devices in MDM. Run an annual self-attestation where employees confirm their holdings, and condition exit clearance on the recorded list rather than the leaver's memory. The cost is a form; the alternative is writing off equipment and the data on it.
Challenge
Lost devices are reported days after the fact, when remote wipe and credential rotation no longer help.
Solution
Open a 24/7 reporting channel — a hotline or a chat alias that pages someone — and make the no-blame rule explicit. Measure time-to-report on every incident and review it like any other security metric. Pair this with a first-hour runbook so the person receiving the report acts immediately instead of escalating into a queue.
Challenge
Field equipment — kiosks, sensors, payment terminals — sits in third-party locations with no physical oversight.
Solution
Engineer for the assumption that the location is hostile: tamper-evident enclosures, physical anchoring, minimal data stored locally, and certificate-based device identity so a stolen unit can be de-authorized the moment it is missed. Put custody and access responsibilities into the site agreement, and add a physical check to every routine service visit.
