ISO 27001 Control 7.9: Security of Assets Off-Premises
When employees work remotely or travel with company devices and data, your security perimeter extends beyond the office. Control 7.9 requires you to implement physical and logical safeguards for all assets that leave your premises. Without proper controls, off-site equipment becomes a vulnerability—and a compliance gap that auditors will catch.
What this means
This control mandates that any company asset removed from your physical location must be protected through both physical measures (encryption, locks, secure containers) and logical controls (access restrictions, remote wipe capabilities). The risk isn't just theft—it includes accidental loss, damage during transport, and interception of sensitive data. The control applies to laptops, mobile devices, USB drives, documents, and any other asset containing confidential information.
How to comply
- 1.Classify assets by sensitivity and define which can leave the premises under what conditions
- 2.Implement full-disk encryption on all portable devices (laptops, tablets, USB drives)
- 3.Require VPN connections for remote access to company systems and data
- 4.Deploy mobile device management (MDM) or endpoint detection and response (EDR) tools with remote wipe capabilities
- 5.Establish a check-out/check-in process for physical assets with ownership tracking
- 6.Provide secure transport containers (faraday bags, locked cases) for high-risk assets
- 7.Require multi-factor authentication for access to sensitive data on portable devices
- 8.Define and communicate an off-premises asset policy that covers travel, home offices, and temporary work locations
- 9.Conduct regular audits to verify all off-site assets are accounted for and compliant
- 10.Train employees on handling, transport, and storage of company assets outside the office
Evidence auditors look for
- Asset inventory log showing which devices are off-premises and their encryption status
- Full-disk encryption configuration reports from all laptops and portable devices
- MDM/EDM policy documentation with remote wipe and access restriction rules
- VPN access logs demonstrating employees use secure connections from remote locations
- Off-premises asset security policy signed by employees
- Audit trail of device check-outs and check-ins
- Screenshots of MFA configuration on portable devices
- Training records showing staff completed off-premises asset security awareness
- Third-party penetration test reports validating encryption and access controls
- Incident response logs for any lost or stolen assets
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates off-premises asset tracking and compliance monitoring—automatically flag unencrypted devices, verify VPN/MFA status on remote assets, and generate audit-ready evidence logs without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial