Security of Assets Off-Premises

ISO 27001:2022 control A.7.9 is a physical security control requiring that any assets taken off-site, such as laptops, phones, or paper records, must be protected against theft, compromise, and unauthorized access.

Organizations secure company devices offsite by enforcing strong passwords, enabling full-disk encryption, utilizing Mobile Device Management (MDM) software for remote tracking and wiping, and training employees on how to protect company laptops when working from home.

Organizations typically need a mobile device security policy, a remote work security checklist, and an overarching Asset Management Policy that dictates acceptable use, physical protection requirements, and reporting duties for assets outside the office.

Best practices to secure laptops while traveling for work include never leaving devices unattended in vehicles or hotel rooms, using privacy screens, avoiding public Wi-Fi without a VPN, and keeping devices as carry-on luggage.

While full disk encryption requirements for company laptops are a critical baseline component, they must be combined with strong authentication, physical security awareness, and timely incident reporting to fully satisfy the control.

A lost or stolen laptop procedure ISO 27001 compliant workflow requires employees to immediately report the loss, allowing the IT team to execute a remote wipe, revoke access credentials, and log the security incident.

Auditors will look for an approved laptop security policy, MDM configuration screenshots showing encryption and remote wipe capabilities, and an active inventory tracking off-site assets and assignments. WatchDog Security's Compliance Center can help organize this evidence by control and highlight gaps when required artifacts or screenshots are missing.

Implementing mobile device management MDM for ISO 27001 compliance is highly recommended and widely considered the industry standard, as it provides the necessary centralized control to enforce encryption, push updates, and remotely wipe compromised remote work devices.

Organizations should maintain a centralized asset inventory mapping users to specific hardware, and require signed acknowledgments during the offsite equipment checkout and return process, ensuring individuals accept formal responsibility for the devices.

Physical security controls for devices in transit and paper records require them to be kept in locked briefcases or lockboxes, never left unattended in public spaces, and securely shredded or wiped when no longer needed.

Auditors typically want to see that each off-site asset has an owner, baseline protections, and evidence that controls are enforced over time. WatchDog Security's Asset Inventory can help maintain an accountable mapping of users to devices and produce exportable inventories that support A.7.9 evidence collection.