Annex A 7.9: Security Of Assets Off Premises

Annex a 7.9: security of assets off premises requirement means you must protect organization-owned or managed information assets when they leave controlled facilities (homes, travel, client sites, shared workspaces). Operationalize it by defining what “off premises” covers, setting handling rules by asset type, and collecting evidence that staff and third parties follow those rules. ¹

Key takeaways:

• Define off‑premises scenarios and asset scope, then set enforceable handling requirements (transport, storage, use, and return).
• Make the control auditable: assign ownership, train users, and retain recurring evidence (exceptions, checks, incidents).
• Align technical controls (encryption, MDM, remote wipe) with procedural controls (sign-out, secure transport, clean desk at home).

Security breaks most often at the edges of your environment: laptops in back seats, printed reports in hotel trash, prototype hardware in carry-on bags, backups shipped to a third party, or a developer using a personal device during travel. Annex A 7.9 focuses on those moments. It is a “requirement you can’t firewall.” You have to combine policy, user behavior, and technical enforcement so assets remain protected outside the office.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to turn Annex A 7.9 into a small set of measurable operating rules: (1) which assets are allowed off premises, (2) what protections are mandatory, (3) who approves exceptions, and (4) what evidence proves the process runs. Your auditor will look for clarity, consistency, and repeatability more than perfect tools.

This page gives requirement-level implementation guidance you can put into a control statement, delegate to IT and Facilities, and then evidence for ISO 27001 audits. It also anticipates the common “but what about…” questions: hybrid work, personal devices, couriers, client sites, and third-party custody.

Regulatory text

Excerpt (provided): “ISO/IEC 27001:2022 Annex A control 7.9 implementation expectation (Security Of Assets Off Premises).” ¹

Operator interpretation: You must implement safeguards to prevent loss, theft, unauthorized access, or damage to information assets when those assets are outside your controlled premises. “Assets” includes devices, removable media, paper records, and other items that store or enable access to information. The control expects implementation that can be assessed, not informal guidance. ²

What an operator must do in practice:

• Define which assets and scenarios count as “off premises” for your organization.
• Establish handling requirements proportional to the sensitivity and portability of the asset.
• Implement technical protections where feasible and procedural protections everywhere else.
• Maintain evidence that requirements are communicated, followed, and corrected when they fail.

Plain-English interpretation (what 7.9 is asking for)

Annex A 7.9 expects you to treat “leaving the building” as a security event that triggers specific controls. If a laptop, phone, hard drive, badge, or printed report goes off premises, you need rules for:

• Authorization: Is the asset allowed to leave, and under what conditions?
• Protection: How is it secured during transport and at the destination?
• Accountability: Who has custody, and can you prove it?
• Response: What happens if it is lost, stolen, or inspected by an unauthorized person?

Hybrid work makes this control broader. “Off premises” includes employee homes, co-working spaces, client sites, conferences, airports, hotels, and any third-party facility where you do not control physical access.

Who it applies to

Entity scope: Organizations implementing an ISO/IEC 27001 ISMS, including service organizations. ²

Operational context scope: Any function that creates, stores, processes, transports, or accesses information using portable or removable assets, including:

• Corporate IT (end-user computing, mobile, endpoint management)
• Engineering (prototype devices, debug hardware, source code access on laptops)
• Finance/HR (printed payroll, offer letters, employee records)
• Sales/Client delivery (presentations with sensitive client data, on-site access)
• Facilities/Workplace (badges, keys, storage, secure disposal)
• Third parties who receive or transport your assets (couriers, repair depots, MSPs)

What you actually need to do (step-by-step)

Step 1: Define “off premises” and asset categories

Create a short scoping statement your teams can apply without debate:

• Premises you control (owned or leased office, controlled data center areas)
• Premises you do not control (home, travel, client, shared workspace, third-party site)

Then classify asset categories that commonly go off premises:

• End-user devices (laptops, phones, tablets)
• Removable media (USB drives, external SSDs)
• Paper records (contracts, HR files, board materials)
• Authentication assets (badges, keys, hardware tokens)
• Specialized equipment (network gear, lab devices, prototypes)

Deliverable: an “Off-Premises Asset Scope” section in policy plus an inventory linkage (even if partial).

Step 2: Set minimum handling rules by asset type and data sensitivity

Write requirements as “must” statements that are testable. Example control rules:

• Transport: Assets must remain in the custodian’s possession or in a locked container; no unattended storage in vehicles unless in a locked trunk and only for limited stops.
• Storage at destination: Devices must be physically secured when not in use (locked room, locked drawer) and must not be left visible in shared spaces.
• Use in public: Screens must be protected from shoulder surfing; avoid discussing sensitive matters where conversations can be overheard.
• Paper: Sensitive paper must be minimized, carried in sealed envelopes, and returned for secure storage or destroyed via approved methods.
• Removable media: Prohibit by default or require encryption and documented business justification.

Keep it short, then push detail into standards/procedures owned by IT and Facilities.

Step 3: Map rules to technical controls (where you can enforce)

Auditors expect more than “policy says so” for high-risk portable assets. Common technical measures:

• Full-disk encryption for laptops and mobile devices
• Strong authentication and auto-lock timeouts
• MDM/endpoint management with remote wipe and device attestation
• Prohibition or control of removable media via endpoint policy
• Secure VPN or zero trust access when connecting from untrusted networks

Your job as GRC: document the mapping from each off-premises rule to an enforcing system or a compensating procedure, and define who monitors compliance.

Step 4: Establish custody and accountability

Operationalize custody with simple, auditable mechanics:

• Asset assignment records (device issued to user; token issued to user)
• Check-out / check-in for shared equipment (loaner laptops, prototypes, demo units)
• Third-party chain-of-custody for repairs, shipments, and returns (tracking numbers, receiving logs)

Define when chain-of-custody is required (for example: prototypes, removable media, sensitive paper bundles).

Step 5: Control third-party handling off premises

Where third parties transport or hold your assets:

• Add contract clauses requiring appropriate physical security, incident reporting, and secure disposal/return.
• Require confirmation of encryption for any device that stores your data.
• Ensure the third party is in your third-party risk process and that off-premises custody is explicitly covered in questionnaires or onsite assessments.

This is a common gap: the organization controls employees but forgets repair depots, couriers, and temporary staffing firms.

Step 6: Train users and make the behavior measurable

Training must be specific to off-premises risk:

• What employees can take off premises
• How to secure it in transit and at home
• What to do immediately if lost/stolen (who to call, what info to provide)

Add a measurable element: policy attestation, targeted training completion evidence, and periodic reminders during travel-heavy seasons.

Step 7: Define exceptions and incident triggers

Make exceptions explicit:

• Who can approve taking certain assets off premises
• How long the exception lasts
• Compensating controls required
• How you record and review exceptions

Tie Annex A 7.9 to incident management: lost/stolen devices, suspected unauthorized viewing, or unaccounted-for paper records should trigger a defined response path.

Required evidence and artifacts to retain

Auditors will ask, “Show me it operates.” Maintain:

• Off-Premises Asset Security policy/standard (versioned, approved)
• Asset inventory extracts for portable devices and tokens (assigned owner, status)
• Endpoint configuration evidence (encryption status reports, MDM compliance summaries)
• Removable media control settings and exception logs (if allowed)
• Check-out/check-in logs for shared assets and prototypes
• Shipping/receiving logs and third-party chain-of-custody records (where applicable)
• Training materials and completion/attestation records
• Incident tickets for lost/stolen assets, with closure notes and corrective actions
• Exception approvals with compensating controls and review outcomes
• Internal audit or control testing results for off-premises control operation

Practical tip: store evidence by audit period and label it by control number so Annex A 7.9 testing does not become a scavenger hunt.

Common exam/audit questions and hangups

Expect these:

• “How do you define ‘off premises’ for hybrid staff and client sites?”
• “Which assets are allowed off premises, and who approves exceptions?”
• “Prove laptops are encrypted and manageable (remote wipe).”
• “How do you prevent or control USB storage?”
• “Show incident examples for lost devices and how you responded.”
• “How do third parties handle your assets during shipping/repair?”
• “What monitoring detects noncompliant endpoints?”

Hangup pattern: teams describe a strong policy but cannot produce repeatable evidence (configuration reports, logs, exception register). Missing implementation evidence is a known risk factor for this control. ¹

Frequent implementation mistakes (and how to avoid them)

1. Policy-only control design.
   Fix: pair each rule with an enforcing technology or a periodic control test that produces artifacts.

2. Treating “home” as inherently trusted.
   Fix: define minimum home handling requirements (screen lock, secure storage, no shared family accounts) and train to them.

3. Ignoring paper and prototypes.
   Fix: add paper and specialized equipment to scope, with chain-of-custody and disposal/return rules.

4. No exception mechanism.
   Fix: create a lightweight exception register with approval, compensating controls, and review cadence.

5. Third-party custody not covered.
   Fix: integrate off-premises custody into third-party due diligence and contract language, especially for device repair and logistics.

Enforcement context and risk implications

ISO 27001 is a certifiable standard rather than a regulator with published penalties in this dataset. Your practical risk is certification findings (minor/major nonconformities), customer trust impacts, and real-world incident exposure from loss or theft of portable assets. The control is often tested because it is easy to understand and frequently fails on evidence: auditors ask for endpoint encryption proof, asset assignment records, and incident handling examples. ²

Practical execution plan (30/60/90-day)

Use phases instead of calendar promises; adjust to your environment’s size and tooling.

Immediate

• Assign control owner(s) across IT (technical) and GRC (governance).
• Define off-premises scope and asset categories.
• Identify current-state controls: encryption, MDM, VPN, removable media restrictions, asset inventory quality.
• Create an evidence map for Annex A 7.9 (what report/log proves each requirement).

Near-term

• Publish or update the off-premises asset handling standard with clear “must” rules.
• Implement or tighten endpoint enforcement for portable devices (encryption/compliance reporting).
• Stand up exception workflow and register.
• Add third-party custody requirements to templates for procurement and security addenda.
• Roll out focused training/attestation for staff who travel or handle sensitive assets.

Ongoing

• Run recurring compliance reporting (encryption/MDM posture, device noncompliance follow-up).
• Test the control via internal audit sampling (asset assignments, exceptions, incident tickets).
• Review lost/stolen asset incidents for corrective actions and trend themes.
• Refresh third-party assessments where they store/transport your assets.

If you need this to stay audit-ready with less manual chasing, Daydream is a practical fit for mapping Annex A 7.9 to an operating control, scheduling recurring evidence capture, and keeping exceptions and artifacts tied to the requirement for faster audits. ²

Frequently Asked Questions

Does Annex A 7.9 apply to remote employees working from home?

Yes if they take organization-managed assets or sensitive information off premises. Treat homes as off-premises locations and set minimum requirements for storage, screen locking, and incident reporting. ¹

Are personal devices (BYOD) in scope?

If personal devices access or store organizational information, they create off-premises risk you must manage. Either prohibit BYOD for sensitive access or require controls like MDM, encryption, and the ability to remove organizational data.

What evidence is strongest for auditors for “assets off premises”?

System-generated compliance reports for encryption/MDM and clear asset assignment records typically test well. Pair those with training attestations, exception logs, and a small sample of incident tickets for lost/stolen assets.

How do we handle printed materials taken to client sites?

Minimize printing, require secure transport (sealed envelope or locked bag), and require secure return or approved destruction. Record high-sensitivity printouts through a sign-out or document control process when feasible.

Do we need chain-of-custody for shipments and repairs?

For higher-risk assets (devices with sensitive data, prototypes, removable media), chain-of-custody is a practical control expectation. Keep shipping receipts, tracking, receiving confirmation, and third-party acknowledgments of secure handling.

What’s the simplest way to manage exceptions without slowing the business?

Use a lightweight approval form with a defined expiry, required compensating controls, and a central exception register. Review exceptions periodically and close them promptly when the business need ends.

Footnotes

1. ISMS.online Annex A control index

2. ISO/IEC 27001 overview