Annex A Controls

A.5.11 through A.5.14 — Asset Returns Classification Labeling and Transfer

Alex Fuerst

11 Sep 2025 — 6 min read

A.5.11 — Return of Assets: The Termination Control That Reveals Everything

Control A.5.11 requires that "personnel and other interested parties should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement." Simple on paper, catastrophic in practice when poorly implemented.

This control is where I consistently find the most embarrassing gaps during audits. Organizations obsess over asset inventories (Control 5.9) but fail spectacularly when someone actually leaves. The 2022 revision's emphasis on "other interested parties" has exposed even more weaknesses as organizations struggle with contractor, consultant, and vendor offboarding.

What the Auditor Looks For

When auditing A.5.11, I examine five critical areas:

Integrated HR workflows — Is asset return embedded in termination processes or a separate checklist that gets skipped?
Complete asset coverage — Can you identify every asset assigned to an individual, including non-physical items like credentials and API keys?
Contractor inclusion — Does your process cover consultants, temps, and vendor personnel with the same rigor as employees?
Exception handling — What happens when assets can't be returned (theft, damage, remote work scenarios)?
Execution evidence — Can you prove the process actually ran for recent terminations?

The most revealing audit question I ask: "Show me the last ten terminations and their associated asset return records." The silence that follows tells me everything about an organization's actual capabilities versus their documented procedures.

Common Implementation Failures

I recently audited a financial services firm with an apparently comprehensive offboarding checklist. HR had signed off on everything, IT confirmed laptop returns, facilities collected badges. Then I discovered three departing employees retained corporate mobile phones that were never inventoried, authentication tokens sitting in desk drawers, and printed documents with no tracking mechanism.

The core issue wasn't malice—it was the gap between what they thought they controlled and what they actually controlled. Their asset inventory (Control 5.9) was incomplete, making comprehensive return impossible. This is why these Annex A controls are interconnected.

Effective implementation requires linking asset return to final payment or contract closure. Nothing motivates compliance like holding the last paycheck. For contractors working under ISO/IEC 27036 supplier security arrangements, make final invoice payment contingent on verified asset return.

A.5.12 — Classification of Information: The Foundation Nobody Builds

Control A.5.12 mandates that "information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability." Most organizations focus exclusively on confidentiality and ignore the other two pillars of the CIA triad entirely.

During a recent manufacturing audit, I found a classification scheme with four confidentiality levels but zero consideration of integrity or availability requirements. Their "Public" information included production schedules that, if corrupted, could halt operations for days. They classified based on disclosure risk while ignoring modification and destruction risks.

Building Practical Classification Schemes

Effective classification schemes share common characteristics. They're simple—typically three to four levels maximum. They address all three security properties, not just confidentiality. They include clear handling instructions that people can actually follow.

Here's a practical framework I recommend:

Public — Information intended for public release with minimal integrity/availability requirements
Internal — Information for internal use with standard protection requirements
Confidential — Information requiring enhanced protection with elevated integrity/availability needs
Restricted — Information requiring maximum protection across all three security properties

Each level should specify handling requirements for storage, transmission, access, and disposal. The key is making these requirements practical and enforceable, not aspirational.

What Auditors Actually Verify

I test classification effectiveness by examining random information samples and asking: "How was this classified, by whom, and what handling requirements apply?" If staff can't answer immediately, the classification scheme exists only on paper.

Successful organizations train users on classification criteria and embed classification decisions into information creation workflows. They also regularly review and update classifications as information sensitivity changes over time.

A.5.13 — Labelling of Information: Making Classification Visible

Control A.5.13 requires that "an appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization." This is where abstract classification becomes visible reality.

Labelling failures fall into predictable patterns. Organizations implement labelling for electronic documents but ignore physical media, presentations, and verbal communications. They create labels so complex that users ignore them or so vague they provide no guidance.

Practical Labelling Implementation

Effective labelling covers all information types and formats. Electronic documents need metadata and visual indicators. Physical documents require headers, footers, and watermarks. Presentations need consistent slide markings. Even verbal communications need standard opening disclaimers for sensitive discussions.

The most successful labelling schemes I've seen integrate with existing business tools. Email systems automatically append classification markings based on content analysis or sender selection. Document management systems require classification before saving. Presentation templates include classification placeholders.

Consider implementing automated labelling for common scenarios. Email containing specific keywords or sent to external domains can be automatically marked. Documents created in certain folders can inherit parent directory classifications. This reduces user burden while ensuring consistency.

Cross-Reference with Transfer Controls

Labelling directly supports information transfer requirements (Control 5.14). When information moves between parties, labels ensure continued appropriate handling. Without clear labelling, transferred information loses its protective context.

For organizations using cloud services, ensure labelling schemes align with ISO/IEC 27017 cloud security guidance. Cloud providers need to understand your classification requirements to apply appropriate controls.

A.5.14 — Information Transfer: Where Security Context Gets Lost

Control A.5.14 mandates that "information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties." This control addresses electronic, physical, and verbal transfer methods.

Transfer failures typically occur at organizational boundaries. Internal transfers work reasonably well because common systems and procedures apply. External transfers—to customers, partners, suppliers—consistently break down because security context gets lost in translation.

Comprehensive Transfer Framework

The 2022 revision provides extensive guidance across three transfer types. Electronic transfers must address malware protection, encryption, authentication, and access controls. Physical media transfers require tamper-evident packaging, authorized courier services, and chain of custody documentation. Verbal transfers need environmental controls and participant verification.

For electronic transfers, implement graduated controls based on information classification. Public information can use standard email. Confidential information requires encryption and recipient verification. Restricted information mandates secure file transfer protocols with multi-factor authentication.

Physical media transfers often receive insufficient attention. I've seen organizations with excellent electronic security that ship unencrypted backup tapes via standard courier services. Implement tamper-evident packaging for sensitive media and maintain authorized courier lists with verified identification procedures.

Integration with Supplier Security

When transferring information to third parties, align with ISO/IEC 27036 supplier security requirements. Transfer agreements should specify security obligations, incident response procedures, and liability arrangements. This is particularly critical for organizations handling personal data under ISO/IEC 27018 privacy protection guidelines.

What Auditors Examine

I test transfer controls by tracing information flows across organizational boundaries. Can you demonstrate that information classification and handling requirements persist through the transfer process? Do recipient organizations understand and implement required protections?

The most revealing audit technique is examining transfer logs. Organizations with mature transfer controls maintain detailed records showing what was transferred, when, to whom, with what protections, and confirmation of receipt. If you can't produce these records for recent transfers, your control implementation needs strengthening.

Integration Across the Asset Lifecycle

These four controls form an interconnected framework for asset lifecycle management. Classification (5.12) provides the foundation for all other decisions. Labelling (5.13) makes classification visible and actionable. Transfer procedures (5.14) maintain security context as information moves. Return processes (5.11) ensure organizational control doesn't end accidentally.

The most effective implementations I've audited treat these as a unified system rather than separate requirements. Information classification drives labelling requirements. Labelling supports transfer procedures. Transfer logs inform return processes. Asset inventories enable comprehensive return verification.

For SMEs implementing these controls, start with classification—everything else builds from this foundation. Keep schemes simple and practical. Focus on integration with existing business processes rather than creating parallel security bureaucracy.

Remember that auditors will test the entire lifecycle, not individual controls in isolation. Can you demonstrate that sensitive information created today will be properly handled when an employee leaves two years from now? That's the real test of mature asset lifecycle management.

Practical Tip: Test your control integration by conducting tabletop exercises simulating employee departures. Can you identify and recover all assets? Do classifications remain visible throughout the process? These exercises reveal gaps that individual control audits might miss.

Need expert guidance implementing these asset lifecycle controls? Join our ISO 27001 Info Hub for practical implementation resources and connect with experienced practitioners who can help you build robust, audit-ready processes.

Need personalized guidance? Reach our team at ix@isegrim-x.com.