A.7.9 — Are off-site assets (laptops, mobile devices) protected with documented controls?
Demonstrate that off-site assets are subject to documented, implemented, and consistently enforced security controls that adequately protect organizational information assets from unauthorized access, loss, theft, and compromise when used outside controlled facilities.
Description
What this control does
This control requires organizations to maintain documented security measures for assets used outside the organization's physical premises, including laptops, tablets, mobile phones, and removable media. Controls typically include encryption requirements, remote wipe capabilities, VPN usage mandates, physical security guidelines, acceptable use policies, and incident response procedures specific to off-site scenarios. The control addresses the heightened risk profile of devices operating beyond network perimeters and physical security boundaries, where loss, theft, unauthorized access, and insecure network connections pose significant threats to organizational data.
Control objective
What auditing this proves
Demonstrate that off-site assets are subject to documented, implemented, and consistently enforced security controls that adequately protect organizational information assets from unauthorized access, loss, theft, and compromise when used outside controlled facilities.
Associated risks
Risks this control addresses
- Theft or loss of unencrypted devices containing sensitive organizational data in public or unsecured locations
- Unauthorized access to corporate systems via compromised or inadequately secured mobile devices lacking multi-factor authentication
- Data exfiltration through connection of off-site assets to untrusted networks without VPN or encrypted tunnel protections
- Malware infection from public Wi-Fi networks or unsecured internet connections lacking endpoint detection and response capabilities
- Insider data theft facilitated by absence of remote monitoring, audit logging, or device management on off-site equipment
- Inability to remotely disable or wipe stolen devices due to missing mobile device management or endpoint management solutions
- Exposure of credentials and session tokens through shoulder surfing, screen capture, or physical observation in public spaces
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's off-site asset security policy, mobile device management policy, and remote work security standards
- Request an inventory of all off-site assets including laptops, mobile devices, tablets, and removable media with assignment records
- Select a representative sample of 15-25 off-site devices across different device types, operating systems, and user roles
- Verify device-level encryption status by examining configuration exports from endpoint management tools or performing direct device inspection
- Validate mobile device management (MDM) or endpoint management (EMM) enrollment status and applied security profiles for sampled devices
- Review VPN or secure remote access logs to confirm off-site devices connect through approved secure channels when accessing corporate resources
- Test remote wipe capabilities by requesting demonstration of the deactivation process on a test device or reviewing recent incident records
- Interview a sample of remote workers to verify awareness of physical security practices, acceptable use requirements, and incident reporting procedures for off-site scenarios