The purpose of this ISO27001 control is to prevent loss, damage, theft or compromise of off-site devices and interruption to the organisation's operations. The focus for the control is, as you would expect, on protecting information and other associated assets when they’re not on sites controlled by you. This could include tablets, mobile devices and laptops, data stored in Cloud environments or shared with third parties.
The remit therefore is quite broad and needs careful consideration with other Annex A controls.
What does the standard require?
The standard states that “Off-site assets shall be protected..” (A7.9 – Security of assets off-premises).
It’s possibly one of the shortest descriptions for an Annex A control and this means that it is open to interpretation, and misrepresentation, too.
Why is this required?
In Annex A control A7.3 you defined designed and implemented physical security for offices, rooms and facilities that are under your control. But of course, information and other assets no longer stay within the boundaries you can control.
Information exists on laptops, mobile phones and tablets. Information also lives on thumb-drives and USB memory sticks. It also exists in paper files and notebooks, and it also exists in third parties who need to support your business to share it.
If you fail to implement appropriate security measures to protect assets while they are off-site, then you could still suffer a data breach, and you would still be held liable for it.
We have seen and heard of suppliers losing information, laptops being stolen from the client site, and mobile phones being left in a bar. All of these are ‘off-site’ and your job is to ensure that even if this happens, assets are protected.
What the auditor is looking for
The auditor will be looking for evidence of a range of security measures that can protect information when it is off-site. These measures typically include;
Privacy screens on equipment
Multi-Factor Authentication (MFA) login credentials enabled
Encryption is enabled on devices (A8.24 - Use of cryptography)
Clear Screen policies (A7.7 - Clear desk and clear screen)
Remote Working Policies and Procedures (A6.7 - Remote Working)
Supplier Agreements (A5.20 - Addressing information security within supplier agreements)
Awareness, Education and Training for personnel
Risk Register
Incident Logs
Although the control doesn’t specifically state that security must be designed and implemented, it is expected that you have considered what ‘off-site’ actually means to you and have implemented appropriate security.
For example, if you use third-parties who process data for you, then how do you interact with them and share data? Do they have access to your systems, or is data transferred via a courier? If you share hard-copy data, then this might be necessary and you need to implement security to protect that data while in transit, and when it reaches the supplier. This may be covered in your supplier agreements (A5.20) and controlled via supplier reviews (A5.22).
What do you need to do?
In your Management Review Team (MRT) meeting, identify what ‘off-site’ actually means. Typically, it will include;
Home working
Public spaces
Storage facilities
Third-parties
For each of these locations, consider what assets they will have access to. This will give you some indication of how critical these locations are, and what kind of security controls you should put in place. You can cross-reference this with your Information Classification Scheme that you developed when implementing the Annex A control A5.12 (Classification of Information).
By following this approach, you can implement some or all of the controls mentioned above, such as privacy screens for those working in public spaces, or encrypted USB drives for those who share data with third-parties.
As always with these Annex A controls, it is important to look beyond the obvious, but also it’s important to work as a team to develop meaningful controls based on the way data is used.
Q & A
What contractual terms should be included in supplier agreements?
This is covered in more details in the Annex A control A5.20 (Addressing information security within supplier agreements), but in brief, it’s important to outline what your expectations are in relation to the data they are processing for you. You might, for example require them to go through regular audits or to demonstrate their security has met a defined standard, like ISO27001:2022.
It’s important to remember that this isn’t simply a ‘nice to have’. Article 28 of the General Data Protection Regulation (GDPR) places the responsibility on the data controller (i.e. you), to be satisfied that controls are in place.
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” (GDPR. A28 (Processor)).
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t technical, but does require some careful consideration of where data may be accessed and processed, and how it should be protected.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.