A laptop stolen from a parked car. An unencrypted USB drive left on a train. Assets leave the physical perimeter every day, and most organizations treat that reality as someone else’s problem until a lost device triggers breach notification obligations and forces an uncomfortable conversation with regulators. ISO 27001 7.9 exists because the perimeter no longer ends at the office door.
What 7.9 requires
ISO 27001 Annex A Control 7.9 requires organizations to protect devices and information carried or used outside organizational premises, covering the full lifecycle of off-site asset handling from authorization through incident response. This control applies to laptops, mobile phones, tablets, removable media, and permanently installed off-site equipment such as ATMs, kiosks, and field sensors.
The practical scope is broader than most teams initially assume. Once an asset crosses the physical perimeter, the threat model shifts fundamentally. Theft, loss, shoulder surfing, unsecured networks, and environmental damage replace the controlled conditions that on-premises security provides. Control 7.9 addresses this shift by requiring organizations to maintain protections that travel with the asset, not protections that depend on the building.
Implementation centers on five pillars. Authorization controls determine who can take what off-premises and under what conditions. Asset tracking maintains visibility into which devices are outside the facility and who is responsible for them. Encryption ensures data remains protected even when the device is physically compromised. Remote management capabilities provide the ability to lock, wipe, or audit devices regardless of their location. Incident response procedures define what happens when an off-premises asset is lost, stolen, or tampered with.
The control also covers permanently installed equipment that operates outside the primary security perimeter. Retail kiosks, industrial sensors, and branch office infrastructure all fall within scope. These assets present unique challenges because they often run unattended for extended periods, making physical tampering and credential compromise harder to detect.
Most organizations address laptop encryption and call it done. That approach misses removable media, ignores permanently installed equipment, and leaves behavioral risks completely unmanaged. A mature implementation treats 7.9 as a system of interlocking controls rather than a single technical checkbox.
Why 7.9 matters
A mid-sized financial services firm with 400 remote employees discovers that a laptop containing unencrypted customer Personally Identifiable Information (PII) was stolen from an employee’s vehicle overnight. The theft triggers mandatory breach notification under multiple state privacy laws, requires engagement with affected customers, and draws regulatory scrutiny into the organization’s broader data protection practices.
The cost of the incident extends far beyond the replacement hardware. As NIST SP 800-122 notes, PII located offsite is more vulnerable to unauthorized access because it is more likely to be lost or stolen than information stored within the organization’s perimeter.
The risk class here is data exposure through physical asset compromise, and the severity escalates rapidly when encryption and remote wipe capabilities are not enforced. Without control 7.9, every device that leaves the building becomes an unmanaged attack surface. The organization cannot verify what data is on the device, whether that data is encrypted, or whether the device can be remotely disabled.
This control also addresses a gap that many organizations overlook in their risk assessments. Remote and hybrid work models mean that off-premises is now the default operating state for most knowledge workers, not an exception. Treating off-premises asset security as a secondary concern ignores the reality that the majority of endpoint risk now exists outside the physical perimeter.
What attackers exploit
Specific failure modes tied to off-premises asset security include:
- Unencrypted devices lost or stolen in transit: Devices without Full Disk Encryption (FDE) expose all stored data the moment physical possession changes hands.
- Devices left unattended in public spaces: Cafes, hotel lobbies, conference venues, and trains are common locations where opportunistic theft occurs.
- Shoulder surfing and visual eavesdropping: Sensitive information displayed on screens in shared spaces can be captured without any technical compromise.
- Unsecured Wi-Fi connections without VPN enforcement: Devices connecting to untrusted networks without encrypted tunnels expose authentication credentials and session data.
- No remote wipe capability when theft is reported: Organizations that cannot remotely erase a stolen device have no way to contain the exposure after the fact.
- BYOD devices with no managed container: Personal devices accessing corporate data without technical separation between work and personal environments create uncontrolled data residency.
- Permanently installed equipment with default credentials: Kiosks, field devices, and branch infrastructure running factory settings or lacking tamper detection are vulnerable to physical manipulation.
How to implement 7.9
For your organization (first-party)
Start with an asset register that tracks which devices are authorized for off-premises use, who holds custodial responsibility, and when the last compliance check occurred. This register must be a living document updated as devices are issued, returned, or reassigned. A static inventory created during initial certification and never revisited is one of the most common audit findings for this control.
Enforce FDE on all portable devices using AES-256 as the minimum standard. This includes laptops, tablets, and USB drives. Many organizations encrypt laptops through their Mobile Device Management (MDM) platform but overlook removable media entirely. A single unencrypted USB drive containing export-controlled data creates the same regulatory exposure as an unencrypted laptop.
Deploy MDM or Unified Endpoint Management (UEM) for remote lock, wipe, and compliance monitoring. For a structured approach, use an implementation checklist to track progress across all required controls. The critical step most teams skip is testing. Enrolling devices in MDM is not the same as verifying that a remote wipe command actually executes within an acceptable timeframe. Run tabletop exercises that simulate a stolen device report and measure the end-to-end response, from initial report through confirmed data destruction.
Require Multi-Factor Authentication (MFA) for all remote access and mandate either VPN or Zero Trust Network Access (ZTNA) for connections over untrusted networks. These controls address the network-layer risks that emerge when devices operate outside the corporate perimeter.
Create a topic-specific policy covering off-premises asset handling, Bring Your Own Device (BYOD) rules, and incident reporting timelines. The policy should define acceptable use, physical handling requirements such as locked storage when unattended, and the maximum time permitted between discovering a loss and reporting it.
Train staff on physical security behaviors. Technical controls fail when an employee leaves an unlocked laptop visible in a parked car. Privacy screens, cable locks, and secure hotel storage are low-cost measures that reduce opportunistic theft. For permanently installed equipment, specify tamper-evident enclosures, remote health monitoring, and encrypted communications back to central management systems.
Common mistakes to avoid:
- Encrypting laptops but ignoring USB drives and removable media
- Having MDM enrolled but remote wipe procedures untested
- No formal BYOD policy, allowing personal devices to access corporate data without managed containers
- Treating the asset register as a one-time exercise rather than a living document
- Focusing exclusively on technical controls while ignoring behavioral training
For your vendors (third-party assessment)
When assessing vendors against this control, the central question is how they protect organizational assets when employees work remotely or travel. Understanding broader third-party risk requirements under ISO 27001 provides essential context for this assessment. Request their mobile device policy, MDM configuration screenshots, encryption enforcement reports, and asset inventory samples. Ask specifically about their incident response process for lost or stolen devices containing customer data.
Red flags during vendor assessment:
- The vendor cannot produce an asset inventory or MDM enrollment report
- Policy exists but has no enforcement mechanism, where encryption is “recommended” rather than “required”
- No tested remote wipe procedure documented
- BYOD is allowed with no technical separation of personal and corporate data
Verification should go beyond self-attestation. Request MDM dashboard screenshots showing current encryption compliance rates across the enrolled device fleet. Ask for recent incident response records that demonstrate the process was followed when a device was actually lost or stolen. A vendor that has never tested their remote wipe procedure does not actually have a remote wipe capability. A vendor questionnaire template can help standardize these evidence requests across your supply chain.
Audit evidence for 7.9
Auditors expect documented artifacts that demonstrate both policy-level governance and operational enforcement. The following table outlines the evidence types typically reviewed during a surveillance or certification audit.
| Evidence type | Example artifact |
|---|---|
| Off-premises asset policy | Mobile device and off-site work policy defining authorized use, physical handling rules, encryption requirements, and incident reporting timelines |
| Asset register | Inventory showing device serial numbers, assigned custodians, off-premises status, and last compliance check date |
| Encryption enforcement report | MDM dashboard export showing FDE status across all enrolled devices |
| Remote wipe test records | Documented test of remote wipe capability with timestamps and confirmation of data destruction |
| Training completion records | Sign-off records showing staff completed off-premises security awareness training |
| Incident response log | Records of lost or stolen device incidents including response timeline and remediation actions |
| BYOD enrollment records | MDM enrollment confirmation for personal devices with managed container configuration |
| Physical security checklist | Completed checklists for permanently installed off-site equipment inspections |
The gap most organizations discover during their first ISO 27001 audit is the distance between having a policy and proving the policy is enforced. An encryption policy without an MDM report showing 100% FDE compliance across enrolled devices creates a nonconformity. Auditors look for the closed loop between documented requirements and verifiable operational evidence.
Cross-framework mapping
Control 7.9 maps to equivalent requirements across several major compliance frameworks. Organizations managing multi-framework compliance programs can use these mappings to consolidate evidence collection and reduce duplicated effort.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-19 (Access Control for Mobile Devices) | Full |
| NIST 800-53 | AC-20 (Use of External Systems) | Full |
| NIST 800-53 | MP-05 (Media Transport) | Full |
| NIST 800-53 | PE-17 (Alternate Work Site) | Full |
| SOC 2 | CC6.1 (Logical and Physical Access Controls) | Partial |
| CIS Controls v8.1 | Control 1 (Inventory and Control of Enterprise Assets) | Partial |
| NIST CSF 2.0 | PR.AC (Identity Management, Authentication, and Access Control) | Partial |
| DORA (EU) | Article 9 (ICT Risk Management Framework, protection) | Partial |
The NIST 800-53 mappings provide the most complete coverage alignment. Organizations already compliant with AC-19 and PE-17 will find that most of the evidence required for 7.9 is already being collected, though the ISO audit format may require repackaging.
Related ISO 27001 controls
Control 7.9 operates within a cluster of physical and logical security controls. Understanding these relationships helps organizations avoid gaps between related requirements and identify where evidence can be shared across controls.
| Control ID | Control name | Relationship |
|---|---|---|
| 6.7 | Remote working | Overlapping scope. 6.7 covers the work environment; 7.9 covers the assets within it |
| 7.1 | Physical security perimeters | Defines the boundary that 7.9 protects assets beyond |
| 7.4 | Physical security monitoring | Monitoring mechanisms applicable to permanently installed off-site equipment |
| 7.5 | Protecting against physical and environmental threats | Environmental safeguards for off-site equipment |
| 7.8 | Equipment siting and protection | Counterpart control for on-premises equipment |
| 7.10 | Storage media | Media handling rules that extend to removable media taken off-premises |
| 8.1 | User endpoint devices | Technical controls for the devices 7.9 physically protects |
| 7.14 | Secure disposal or reuse of equipment | Applies when off-premises assets are decommissioned or transferred |
| 5.10 | Acceptable use of information and other associated assets | Policy foundation for off-premises asset handling rules |
The relationship between 7.9 and 8.1 deserves particular attention. Control 8.1 addresses the technical configuration and management of endpoint devices, while 7.9 addresses their physical protection when off-premises. An organization can satisfy 8.1 with strong endpoint hardening and still fail 7.9 if there is no process for tracking which hardened devices are outside the facility.
Frequently asked questions
What is ISO 27001 7.9?
ISO 27001 7.9 is an Annex A control that requires organizations to protect information-processing equipment used or stored outside their physical premises. It covers laptops, mobile devices, removable media, and permanently installed off-site equipment, mandating controls for authorization, encryption, remote management, and incident response.
What happens if 7.9 is not implemented?
Without 7.9, a lost or stolen device becomes a data breach with no containment options. Organizations face regulatory penalties, mandatory breach notification costs, reputational damage, and potential loss of ISO 27001 certification because physical loss of a device equates to complete loss of control over the data it contains.
How do you audit 7.9?
Auditors verify 7.9 by examining the off-premises asset policy, the asset register, and operational evidence that technical controls are enforced. They look for MDM reports confirming encryption compliance, documented remote wipe tests, training records, and incident response logs to close the loop between what the policy requires and what is happening in practice.
How UpGuard helps
Managing off-premises asset security across your own organization is one challenge. Verifying that your vendors maintain the same rigor is another.
- Vendor Risk: Gives security teams continuous visibility into third-party security practices, including how vendors protect devices and data outside their premises. Automates vendor security assessments, monitors for control gaps, and provides evidence collection workflows that map directly to ISO 27001 requirements.