Annex A Controls

A.7.9 through A.7.11 — Asset Security Off-Premises

Alex Fuerst

07 Oct 2025 — 6 min read

The Off-Premises Security Reality Check

Here's a truth that makes security managers uncomfortable: your organization's most sensitive data probably spends more time outside your secure perimeter than inside it. Laptops on trains, backup tapes in courier vans, engineers working from coffee shops with questionable WiFi—this is the reality of modern business. Controls 7.9 (Security of assets off-premises), 7.10 (Storage media), and 7.11 (Supporting utilities) address this uncomfortable reality head-on.

After auditing hundreds of organizations over 15 years, I can tell you these three controls are among the most frequently misunderstood and poorly implemented in the entire Annex A framework. I've seen organizations with fortress-level physical security at headquarters—mantraps, biometrics, 24/7 guards—yet they hand laptops containing customer databases to employees with nothing more than "don't lose it" as guidance.

Understanding the Off-Premises Security Triangle

Controls 7.9, 7.10, and 7.11 form what I call the off-premises security triangle. They're interconnected and must be implemented together to be effective. The ISO 27002:2022 guidance makes this clear—these aren't standalone controls but a coordinated approach to protecting assets beyond your physical control.

Control 7.9 (Security of assets off-premises) states that "off-site assets should be protected." The 2022 revision expanded this significantly, now explicitly covering BYOD devices and requiring specific protections like shoulder surfing prevention and remote wiping capabilities. This isn't just about laptops anymore—it's about any device that stores or processes information outside your premises.

Control 7.10 (Storage media) addresses the entire lifecycle of storage media according to your classification scheme. The updated guidance emphasizes secure deletion before asset transfers and maintaining chain of custody logs—requirements that trip up many organizations during audits.

Control 7.11 (Supporting utilities) often gets overlooked in off-premises discussions, but it's crucial. When assets leave your controlled environment, you lose oversight of power supplies, climate control, and physical infrastructure that keeps them operational and secure.

What Auditors Actually Look For

When I audit these controls, I'm looking for specific evidence that demonstrates systematic thinking, not just policy documents. Here's what separates compliant organizations from those that fail:

For Control 7.9 - Asset Protection Evidence

Asset inventory with location status: Your asset register must distinguish between permanently off-site, temporarily off-site, and in-transit assets
Authorization records: Evidence that equipment removal is authorized per the guidance in Control 5.15 (Access control)
Protection measures documentation: Specific controls for each type of off-premises scenario, not generic "encrypt everything" policies
Chain of custody logs: When assets transfer between parties, including secure deletion confirmation
BYOD management: How personal devices used for business are identified, authorized, and protected

For Control 7.11 - Supporting Utilities Evidence

Utility dependency mapping: Understanding what utilities your off-premises assets depend on
Emergency procedures: Contact details for utility providers, emergency switches, backup power arrangements
Regular inspections: Testing schedules for UPS systems, generators, and environmental controls
Network isolation: Evidence that utility management systems are segregated from information processing facilities

Auditor Tip: I always ask to see evidence of the last three equipment removals and their authorizations. Organizations that can't produce this documentation immediately reveal gaps in their off-premises asset management.

Real-World Implementation Challenges

Let me share a case study from a recent audit. A mid-sized financial services firm had recently failed a client's security assessment. Their client had asked a simple question: "What happens to our data when your employees work from home?" The firm had no systematic answer.

When we dug into their practices, we found classic implementation failures:

Employees routinely stored client financial data on personal laptops with basic password protection, violating Control 8.1 (User endpoint devices)
Backup tapes were transported by a courier service with no contractual security requirements, missing the Control 5.20 (Addressing security within supplier relationships) connection
Field engineers had admin credentials on laptops they left in vehicle boots overnight, ignoring Control 8.2 (Privileged access rights) requirements
No asset register distinguished between on-premises and off-premises equipment, failing basic Control 5.9 (Inventory of information and other associated assets) requirements

This wasn't malice—it was a systematic failure to extend security thinking beyond office walls. They had great physical security at headquarters but forgot that headquarters isn't where modern work happens.

Practical Implementation Framework

Step 1: Asset Classification and Risk Assessment

Start by enhancing your asset inventory per Control 5.9. Create explicit categories based on the ISO 27002:2022 guidance:

Permanently off-site assets: Equipment at employee homes, remote offices, colocation facilities
Temporarily off-site assets: Laptops for client visits, equipment sent for repair, travel devices
In-transit assets: Backup media being transported, equipment shipments
Fixed installations: ATMs, antennas, remote sensors—these need enhanced physical security monitoring per Control 7.4

Each category requires different risk assessments and controls. A laptop permanently at an employee's home office needs different protections than one being couriered to a data center.

Step 2: Context-Appropriate Protection Measures

The ISO 27002:2022 guidance is clear—protection measures must be context-dependent. Consider:

Data classification impact: Align with Control 5.12 (Classification of information). A laptop used only for email needs different protection than one containing source code or customer PII
Physical environment risks: Home offices, client sites, public transport, and hotels all present different threat landscapes
Duration and frequency: Permanent remote work setups need different controls than occasional travel
User competency: Technical users may handle advanced security tools, while others need simpler, more automated protections

Step 3: Technical Controls Implementation

The 2022 revision specifically mentions several technical capabilities that auditors now expect to see:

Location tracking: Know where your sensitive assets are, especially for high-value equipment
Remote wiping capability: Essential for lost or stolen devices containing sensitive data
Screen privacy protection: Controls against shoulder surfing on public transport
Secure deletion: Before any asset transfer, ensure information that doesn't need to move is securely removed

Step 4: Supplier and Third-Party Considerations

Off-premises security inevitably involves third parties. This connects directly to Control 5.20 and the broader ISO 27036 series for supplier relationship security:

Courier services: Contractual requirements for secure transport, including chain of custody
Repair facilities: Data handling requirements before equipment leaves your premises
Remote office providers: Co-working spaces, client sites, partner facilities
Utility providers: For permanently installed off-premises equipment

Supporting Utilities in the Off-Premises Context

Control 7.11 often gets overlooked because it seems facility-focused, but it's critical for off-premises assets. The guidance explicitly covers equipment connected to networks and internet connectivity—increasingly relevant for IoT devices and remote installations.

Key implementation points include:

Diverse routing: Multiple utility feeds with different physical paths
Network isolation: Utility management systems on separate networks from information processing
Secure connectivity: Internet connections only when needed and properly secured
Emergency procedures: Contact details readily available for outage scenarios

Common Implementation Pitfalls

Based on audit findings, here are the most common mistakes organizations make:

The "One-Size-Fits-All" Policy Trap: Creating blanket rules like "all laptops must be encrypted" without considering context, data classification, or user scenarios.

The Documentation vs. Reality Gap: Having comprehensive policies that don't reflect actual practices. I always test this by asking employees to demonstrate their off-premises security procedures.

The BYOD Blind Spot: Not addressing personal devices used for business purposes, which the 2022 revision explicitly requires.

The Supplier Security Disconnect: Failing to ensure third parties handling off-premises assets meet security requirements through proper contracts and monitoring.

Integration with Other Standards

These controls don't exist in isolation. For comprehensive implementation, consider:

ISO 27017: For cloud-specific off-premises considerations
ISO 27018: When off-premises assets handle personally identifiable information
ISO 27036 series: For supplier relationship security aspects
ISO 27040: For storage security specific guidance

Building a Sustainable Off-Premises Security Program

Effective off-premises security isn't about perfect control—it's about appropriate risk management. Start with your highest-risk scenarios and most valuable assets. Build monitoring and feedback loops to understand how your controls perform in practice.

Remember that off-premises security is fundamentally about trust and verification. You're trusting people and systems beyond your direct control, so your verification mechanisms—monitoring, reporting, periodic verification—become critical.

The modern workplace reality demands that we extend our security perimeters beyond traditional boundaries. Controls 7.9 through 7.11 provide the framework, but successful implementation requires understanding your specific context, risks, and operational realities.

For deeper insights into implementing these controls within a comprehensive ISMS framework, consider exploring our ISO 27001 Implementation Guide or connect with fellow practitioners in our ISO 27001 Information Hub Telegram community. If you're facing specific challenges with off-premises asset security, professional consultation can help you navigate the complexities of modern risk management while maintaining business agility.

Need personalized guidance? Reach our team at ix@isegrim-x.com.