Annex A 5.11 - Return of Assets

Description

Title of Control: Return of Assets

Introduction (what is it?): This control emphasises the need for personnel and other relevant parties to return all organisational assets in their possession upon the change or termination of their employment, contract, or agreement. The purpose is to safeguard the organisation's assets during transitions and ensure the secure handling of assets.

What is the purpose of it? The purpose of this control is to protect the organization's assets by ensuring that all assets issued to personnel and other interested parties are returned when they change roles or leave the organization. This process prevents unauthorized use of organizational assets and mitigates the risk of data breaches or loss.

What are the benefits of meeting these requirements? Meeting these requirements offers several benefits:

• Asset Protection: By ensuring the return of organisational assets, the organisation safeguards its equipment, data, and other associated assets.

• Data Security: Returning assets and securely erasing data from personal equipment minimises the risk of unauthorised access to sensitive information.

• Continuity: Documentation and transfer of important knowledge from departing personnel ensure smooth ongoing operations.

• Intellectual Property Protection: Preventing unauthorised copying of intellectual property during notice periods protects valuable organisational assets.

How difficult is this control to meet? The difficulty of meeting this control varies based on the organisation's asset inventory, the number of personnel, and the complexity of roles. Establishing clear procedures for asset return and data handling is generally manageable, but ensuring compliance and enforcement might require additional effort.

What are the sub-requirements?

1. Formalise the change or termination process to include the return of all issued physical and electronic assets owned by or entrusted to the organisation.

2. Establish procedures for returning assets, including those owned by the organisation or personally purchased by personnel.

3. Ensure that relevant information is transferred and securely deleted from personal equipment used by personnel.

4. Document and transfer important knowledge from departing personnel that is essential for ongoing operations.

5. Prevent unauthorised copying of important information, especially intellectual property, during notice periods of termination.

Other information:

• Assets might include user endpoint devices, portable storage devices, specialist equipment, authentication hardware, and physical copies of information.

• For assets not owned by the organisation, restrictions on information use should be implemented through other controls like access rights management or encryption.

In conclusion, this control underscores the importance of returning organisational assets upon personnel or party changes. By ensuring the proper return of assets and the secure handling of information, organisations can protect their assets, data, and intellectual property during periods of transition or termination.