A former contractor’s VPN credentials sit active for three months after their project ends. During that window, production databases are accessed, client records are exported, and nobody flags the activity because the account was never deprovisioned. This is the scenario ISO 27001 control 5.11 exists to prevent — and it plays out more often than most security teams want to admit.
What 5.11 Requires
ISO/IEC 27001:2022 control 5.11 requires your organization to enforce a formal process that retrieves all organizational assets — hardware, software, data, and access credentials — from any person the moment their employment, contract, or agreement ends or changes. That includes full-time employees, contractors, temporary staff, and any external party who was given access to your systems or information.
The scope is broader than most teams initially realize. “Return of assets” does not just mean collecting laptops and keycards. It means revoking VPN access, disabling SaaS accounts, recovering software licenses, wiping corporate data from personal devices, and ensuring that undocumented knowledge — system passwords stored in someone’s head, shadow IT accounts, local copies of sensitive files — gets transferred or eliminated.
Meeting these ISO 27001 compliance requirements matters because transition points are where security breaks down. When someone leaves or moves roles, there is a brief window where oversight weakens and risk concentrates. Without a defined process that triggers automatically, asset retrieval depends on memory and goodwill — neither of which scales.
Why 5.11 Matters
Organizations that fail to implement this control often discover the gap only after damage has occurred. In a common pattern, a departing employee retains access to cloud storage or email for weeks after their last day. During that period, they download client lists, proprietary documents, or source code — either out of habit, carelessness, or intent. The organization has no visibility because the account was never flagged for deprovisioning.
The risk class here is data exfiltration and unauthorized access — the same failure modes behind many of the most damaging data breaches — and the severity compounds with time. Every day an orphaned account stays active is another day it can be exploited — by the former employee directly, or by an attacker who compromises those forgotten credentials. Verizon found in their 2024 Data Breach Investigations Report that 19% of breaches involved internal actors, a figure that includes both malicious insiders and negligent departures where access was never revoked.
The financial cost of getting this wrong is significant. Insider-related incidents — whether malicious or negligent — cost organizations millions in investigation, remediation, and regulatory penalties. The reputational damage from a data breach traced back to a former employee’s active credentials is even harder to quantify.
The audit consequence is equally concrete. A certification body auditor will sample recent departures and ask for evidence that assets were returned and access was revoked on the last day. If your organization cannot produce that evidence, it is a non-conformity — and a straightforward one to prevent.
What Attackers Exploit
- Orphaned accounts: Former employee credentials remain active in identity providers, email systems, and SaaS applications, providing a ready-made entry point. Weak access control policies make this the most common failure mode.
- Unreturned devices: Laptops with cached credentials, local data copies, saved VPN configurations, and browser sessions that bypass MFA.
- BYOD gaps: Corporate data on personal devices with no mobile device management enrollment and no wipe capability.
- Contractor credential persistence: Shared service accounts or individual credentials issued to contractors that outlive the engagement.
- Missing knowledge transfer: Undocumented access paths, shadow IT accounts created by the departing person, and API keys embedded in local scripts.
- No exit checklist: The HR and IT handoff breaks down — HR processes the termination, but IT is never notified to disable accounts or collect hardware.
How to Implement 5.11
Implementing this control is less about technology and more about process discipline. The organizations that get this right integrate asset return into their existing HR and IT workflows so that it triggers automatically — not as an afterthought.
For Your Organization (First-Party)
1. Build and maintain an asset inventory. You cannot retrieve what you cannot track. Link every asset — physical device, software license, access credential — to the individual it was issued to. This maps directly to control 5.9 (Inventory of Information and Other Associated Assets) and is the foundation the entire return process depends on.
2. Define return triggers in your HR workflow. Resignation, termination, contract expiration, and role changes should all automatically initiate the asset return process. The trigger should come from HR, not from the departing person’s manager remembering to submit a ticket.
3. Create a standardized exit checklist. Cover every asset category: physical hardware (laptops, phones, tokens, keycards), access credentials (email, VPN, SaaS accounts, shared passwords), software licenses, data on personal devices, and knowledge documentation. Assign each item to a responsible party — IT for access revocation, facilities for physical access, the line manager for knowledge transfer.
4. Integrate IT and HR systems. When HR processes a departure in your HRIS, that event should auto-trigger IT deprovisioning workflows. Identity providers like Okta or Microsoft Entra ID can automate account suspension. MDM solutions like Jamf or Intune handle device wipes. ITSM platforms like Jira or ServiceNow track the checklist to completion. The goal is zero manual handoffs between HR and IT — every dependency should be automated or at least flagged with a tracked ticket. If your identity provider supports lifecycle management, configure it so that disabling the user account cascades across all connected SaaS applications.
5. Address BYOD explicitly. If employees use personal devices for work, you need either remote wipe capability through MDM or a signed data deletion declaration. Without one of these, you have no way to confirm corporate data has been removed from a device you do not own. Your BYOD policy should be agreed upon at onboarding — not introduced at offboarding. The declaration should specify which applications and data stores the person accessed on personal devices, and the employee should confirm in writing that corporate data has been removed. If your organization uses containerization (separating work data from personal data on the device), the wipe can target only the corporate container without affecting personal files.
6. Document everything. Timestamped sign-off records, exception logs, and audit trails are the evidence your auditor will request. If you completed the return but did not record it, it did not happen from a compliance perspective. Every exception — a laptop that could not be returned because the employee relocated, a shared account that required a password rotation instead of deletion — must be logged with a risk acceptance note and a follow-up date.
7. Handle exceptions with a defined escalation path. Not every departure will follow the standard process. Remote employees in other jurisdictions may need to ship hardware. Terminated employees may refuse to return devices. Shared service accounts may not have a single owner. For each of these scenarios, define the escalation path in advance: who approves the exception, what compensating controls apply (e.g., remote wipe instead of physical return, forced password rotation on shared accounts), and what the maximum acceptable delay is before the risk is escalated to management.
8. Review quarterly. Pull a sample of recent departures and verify the return process was followed completely. This catches process drift before your next surveillance audit does. The review should compare the departure date in your HRIS against the account deactivation date in your identity provider. Any gap greater than 24 hours warrants investigation. Track the results of these reviews as evidence — auditors will ask for them.
Common mistakes:
- Treating asset return as an HR-only responsibility with no IT involvement
- Covering terminations but ignoring role changes and internal transfers
- Having no BYOD data wipe capability or signed deletion confirmation
- Relying on the departing person to self-report which assets they hold
- Failing to update the asset register after assets are returned
For Your Vendors (Third-Party Assessment)
When assessing vendors against this control, your security questionnaire should go beyond a yes/no checkbox. A vendor risk management platform can help you track whether vendors maintain compliant offboarding processes over time.
Questions to ask:
- “Describe your offboarding process for personnel who had access to our data. What is the timeline for revoking access upon termination?”
- “How do you handle the return of assets for contractors and temporary staff, and does the process differ from full-time employees?”
Evidence to request: Offboarding policy document, a sample exit checklist (redacted), access revocation logs from a recent departure, and asset return records showing the process was followed end-to-end. Using an ISO 27001 vendor questionnaire template can standardize these requests across your vendor portfolio.
Red flags:
- No documented offboarding process — “we handle it on a case-by-case basis”
- No distinction between employee and contractor offboarding
- No BYOD or personal device policy
- Vague timelines for access revocation (“within a reasonable period”)
Verification beyond self-attestation: Ask the vendor for evidence from a specific recent offboarding event (redacted for privacy). Cross-reference the departure date against access revocation logs. If the gap between departure and deprovisioning exceeds 24 hours, probe further. Look specifically for whether the vendor’s process covers contractors and temporary staff with the same rigor as full-time employees — this is where most vendor offboarding processes break down. Security questionnaire automation can streamline this evidence collection process.
Audit Evidence for 5.11
| Evidence Type | Example Artifact |
|---|---|
| Policy | Asset Return Policy defining return triggers, timelines, responsible parties, and exception handling procedures |
| Process documentation | Offboarding checklist template with sign-off fields for IT, HR, and line manager |
| Asset register | Asset inventory log showing assignment history, return dates, and current status per device |
| Access logs | Identity provider export showing account disable/delete timestamps aligned to departure dates |
| BYOD records | Signed data deletion declarations or MDM remote wipe confirmation logs |
| Contractual clauses | Employment and contractor agreement excerpts containing asset return obligations |
| Audit trail | Completed exit checklists from recent departures with timestamped sign-offs |
| Exception records | Documented exceptions where return was delayed, with risk acceptance and follow-up actions |
Cross-Framework Mapping
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PS-04 (Personnel Termination) | Full |
| NIST 800-53 | PS-05 (Personnel Transfer) | Full |
| SOC 2 | CC6.2 (Prior to Issuing System Credentials and Granting System Access) | Partial |
| SOC 2 | CC6.3 (Based on Authorization, Access to Protected Information Assets) | Partial |
| CIS Controls v8.1 | 6.2 (Establish an Access Revoking Process) | Partial |
| NIST CSF 2.0 | PR.AA-02 (Identities and credentials are managed) | Partial |
| DORA (EU) | Article 9 (ICT risk management framework — access control provisions) | Partial |
Related ISO 27001 Controls
| Control ID | Control Name | Relationship |
|---|---|---|
| 5.9 | Inventory of Information and Other Associated Assets | Provides the asset register that 5.11 depends on to identify what must be returned |
| 5.10 | Acceptable Use of Information and Other Associated Assets | Establishes the use rules that define return obligations at assignment |
| 5.12 | Classification of Information | Determines handling and return priority based on information sensitivity |
| 6.1 | Screening | Part of the full employee lifecycle — screening at entry, asset return at exit |
| 6.2 | Terms and Conditions of Employment | The contractual foundation that gives legal weight to return requirements |
| 6.5 | Responsibilities After Termination or Change of Employment | Covers ongoing obligations that extend beyond the physical return of assets |
| 5.18 | Access Rights | Access revocation is the digital counterpart to physical asset retrieval |
| 7.14 | Secure Disposal or Reuse of Equipment | Governs what happens to devices after they are returned and before reissue |
| 8.10 | Information Deletion | Ensures data is properly removed from returned devices and personal equipment |
Frequently Asked Questions
What is ISO 27001 5.11?
ISO 27001 5.11 is an organizational control that requires a formal process for collecting all company assets — hardware, software, data, and access credentials — from personnel and third parties when their employment, contract, or agreement ends or changes. The control covers physical devices like laptops and keycards, digital assets like SaaS accounts, and less tangible items like knowledge of system access paths. It is classified as a preventive control and sits within Domain 5 (Organizational Controls) of ISO 27001:2022. For a broader view of compliance terminology, see UpGuard’s information security glossary.
What happens if 5.11 is not implemented?
Without a formal return of assets process, organizations face orphaned accounts that remain active long after a person departs, creating an entry point for unauthorized access or data exfiltration. Auditors will flag the absence as a non-conformity during certification or surveillance audits. The downstream risk includes regulatory exposure, intellectual property loss, and the inability to demonstrate that the organization controls its own information assets. In practice, this control is one of the most commonly cited non-conformities in ISO 27001 audits because it is straightforward to verify — auditors simply sample recent departures and check whether the process was followed.
How do you audit 5.11?
Auditors typically select a sample of recent departures — both employees and contractors — and request evidence that assets were returned and access was revoked on or before the last day. They check the asset register for status updates, review identity provider logs for account deactivation timestamps, and examine completed exit checklists for sign-offs. The strongest audit performance comes from organizations that can produce a complete, timestamped trail for any departure within the past 12 months.
How UpGuard Helps
Track Vendor Compliance with Asset Return Controls
UpGuard’s platform gives you continuous visibility into whether your vendors maintain the offboarding and access control processes that ISO 27001 5.11 demands. Instead of relying on annual questionnaires, you can monitor vendor security posture in real time and identify gaps in personnel controls before they become audit findings. Explore the platform.