Framework - ISO 27001 (Cyber)

As modern organizations evolve beyond fixed offices, information security must evolve with them. Work no longer happens solely within controlled environments — it follows people as they travel, collaborate remotely, and access systems from homes, airports, and hotels. This shift has blurred the boundaries once defined by physical infrastructure. Annex A.7.9 of ISO/IEC 27001 addresses this new reality by extending protection to assets that operate outside traditional facility walls. The same principle applies to storage media under A.7.10, which remain risky even when disconnected. Together, these controls ensure that data protection is portable, following the device rather than staying anchored to a particular site. The goal is continuity of protection — wherever business goes, security goes too.

A.7.9 sets its sights on “off-premises assets,” which include laptops, tablets, smartphones, and removable drives that routinely travel beyond the office. These assets are powerful tools for productivity, but they also multiply the organization’s exposure. When data moves freely, so do the risks of theft, damage, or unauthorized access. Employees conducting fieldwork or traveling for business carry the same sensitive information that would be locked inside office servers. Without adequate controls, these mobile devices become weak points in the organization’s defensive chain. The scope of A.7.9 is therefore not about limiting mobility but about embedding consistent, enforceable safeguards across all contexts.

Understanding the risks associated with off-premises use is the first step toward mitigation. Laptops can be stolen from hotel lobbies or airport security trays, leaving sensitive data in unknown hands. Phones and tablets used on public Wi-Fi networks can be compromised through rogue access points or phishing overlays. Some users, working from home, might allow family members to borrow company equipment for personal use — unintentionally exposing it to malware or unmonitored accounts. There’s also the cross-border dimension: data privacy laws differ from country to country, and carrying sensitive corporate data across jurisdictions can trigger compliance risks. These scenarios show that “off-premises” isn’t just a location — it’s a category of risk that demands deliberate preparation.

Technical safeguards form the first line of defense. Full-disk encryption ensures that even if a laptop is lost or stolen, its data remains unreadable without credentials. Secure boot mechanisms and firmware protections prevent tampering before the operating system loads. Multifactor authentication (MFA) for logins and critical applications blocks unauthorized users, even if passwords are compromised. Automatic lockouts and remote wipe capabilities add a safety net when devices go missing. Some organizations go further, implementing location tracking, tamper alarms, or ruggedized protective cases. Each of these measures reinforces the message that physical mobility doesn’t equate to reduced accountability.

Policies for employees handling mobile assets transform these technical measures into living practices. A strong policy outlines exactly what to do when a device is lost, stolen, or misplaced — immediate reporting is essential to trigger remote wipe or access revocation. Employees must be prohibited from using personal accounts, consumer cloud storage, or social media tools for business data, as these bypass corporate controls. Secure connectivity, typically enforced through an approved virtual private network (VPN), must be mandatory to protect data in transit. Simple but critical rules, like never leaving devices in parked vehicles or visible in hotel rooms, close many common gaps. In essence, policy translates control intent into daily discipline.

Training reinforces policy and builds awareness about real-world threats. Employees must understand not only the rules but the reasons behind them. Case studies of breaches caused by lost laptops or misused USB drives make the risks tangible. Regular refresher sessions, simulations, and spot-checks keep the topic alive and relevant. Some organizations incorporate these lessons into onboarding programs, ensuring that even new hires recognize that mobility equals responsibility. Without such reinforcement, even the best-written policy can fade into background noise.

Auditors assessing compliance with A.7.9 expect evidence that these measures operate consistently. They look for a formally published mobile device policy and proof that staff have received and acknowledged it. Mobile device management (MDM) and endpoint detection and response (EDR) platforms should generate reports verifying encryption status, patch compliance, and lockout configurations. Logs of lost or stolen devices show whether incident response procedures were followed. Sampling encryption certificates or device inventories demonstrates operational control rather than mere intent. Auditors want to see that the organization practices what it preaches, day in and day out.

Failures involving off-premises assets provide sobering reminders of what’s at stake. In one healthcare incident, an unencrypted laptop stolen from a physician’s car exposed thousands of patient records. A consulting firm lost a client’s intellectual property after an employee stored project data on a personal, unencrypted USB stick. Executives crossing borders have had their laptops seized for inspection, only to realize that their drives lacked sufficient encryption. Nonprofits operating in unstable regions have lost entire contact databases because phones had no remote-wipe function. These real events demonstrate that convenience without control undermines every other layer of cybersecurity.

The global context complicates the protection of mobile assets. Laws in certain countries may require travelers to unlock devices for inspection, conflicting with corporate confidentiality requirements. Cross-border data transfer restrictions can apply even to data stored on a laptop carried by an employee. Contracts with overseas suppliers must include clauses mandating equivalent security for any off-premises devices accessing shared systems. Insurance policies should explicitly address coverage for lost or stolen equipment abroad, clarifying who bears financial and reputational liability. Even cultural norms can matter — in some regions, device sharing within families is common, making technical enforcement critical to compensate for social habits.

Organizations that handle off-premises assets effectively often combine governance, automation, and culture. Governance defines ownership and accountability — who is responsible for approving, tracking, and reviewing mobile assets. Automation ensures compliance through configuration management tools that enforce encryption, lockouts, and patching remotely. Culture sustains awareness by making security feel natural, not forced. When staff instinctively secure devices before leaving a coffee shop or conference hall, security becomes a shared value rather than a checklist. Annex A.7.9 isn’t about mistrust; it’s about building confidence that information stays protected wherever work occurs.

In remote or hybrid work settings, these principles take on new importance. Home networks, personal routers, and shared workspaces create environments where company devices coexist with personal technology. Organizations must provide clear guidance on segregating work activities from personal use, supported by secure VPNs and endpoint protections. Encouraging staff to perform periodic self-checks — confirming encryption, backups, and system updates — keeps security visible. A distributed workforce doesn’t mean distributed accountability; each user becomes a mini-steward of the organization’s digital integrity.

Technology alone can’t eliminate every risk associated with off-premises work. Human behavior remains a decisive factor. Employees must be encouraged to report incidents promptly without fear of blame, as delays increase damage. Leadership should model these habits — securing devices in transit, avoiding public logins, and demonstrating compliance openly. Recognition programs that highlight safe practices turn adherence into positive reinforcement. The objective isn’t surveillance but empowerment: teaching people that they have direct influence over the organization’s resilience.

Annex A.7.9 connects mobility to maturity. An organization that can maintain consistent security outside its own facilities shows it understands the fluid nature of modern business. It acknowledges that risk doesn’t pause for travel, remote work, or convenience. By securing off-premises assets through encryption, policies, and training, it ensures that its information ecosystem remains trustworthy across borders, devices, and circumstances. The next layer of protection, detailed in Annex A.7.10, extends this philosophy to storage media — because safeguarding information doesn’t end with the device, it continues through every medium where data resides.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

Annex A.7.10 builds on the mobility theme by turning attention to storage media — the silent carriers of data that often escape notice. While devices like laptops and phones attract attention due to their visibility, smaller items such as USB drives, backup tapes, or external disks can hold equally sensitive information. These items are portable, convenient, and often used for legitimate business continuity purposes. However, without strict controls, they become invisible points of leakage. The purpose of this control is to ensure that removable and portable media, whether physical or cloud-based, remain secure throughout their entire lifecycle — from creation and use to transport, retention, and eventual disposal.

The risks tied to storage media are both technical and behavioral. Infected USB drives can introduce malware when plugged into endpoints, bypassing network defenses. Unlabeled or misplaced devices can lead to accidental data disclosure if discovered by unauthorized individuals. During shipment, removable media may be lost or stolen, exposing unencrypted data in transit. Even when media is no longer needed, residual information left on improperly wiped drives can resurface in secondary markets. These risks persist because removable media often sits in the margins of organizational awareness — easy to overlook, yet capable of triggering severe breaches.

Transporting storage media securely requires the same rigor as handling cash or confidential documents. When media must be shipped or couriered, it should be packaged in tamper-evident materials that reveal any attempt at interference. Couriers should be vetted and trained to handle sensitive shipments, and tracking numbers must follow the item from sender to receiver. Some organizations maintain formal chain-of-custody documentation that lists every individual who handled the media during transit. Segregating media from general mail or deliveries minimizes confusion and reduces accidental loss. These steps demonstrate that the organization values the confidentiality of its data even when it’s in motion.

Retention and disposal mark the end stages of the media lifecycle but are equally vital to control. Retention should align with regulatory and contractual requirements so that data is kept only as long as legally or operationally necessary. When media is reused, it must be securely overwritten or cryptographically erased to prevent recovery of previous data. Devices that are damaged or obsolete must be physically destroyed — often through shredding, degaussing, or pulverizing. Each disposal event should generate a certificate, providing verifiable evidence for auditors and regulators. This level of rigor ensures that sensitive information cannot resurface long after its intended purpose has ended.

Evidence of compliance with Annex A.7.10 typically includes a combination of policies, inventories, and operational logs. The organization should maintain a removable media policy describing approved types, handling expectations, and encryption requirements. An inventory system tracks issued and returned media, ensuring no device is unaccounted for. Logs should record encryption events, transfer activities, and final disposal actions. Incident records documenting lost or compromised media demonstrate that the organization tracks not only success but also failure. Together, these records illustrate a mature control environment where accountability extends beyond network systems to the physical objects that carry data.

History provides many examples of what happens when storage media is poorly managed. Government agencies have suffered data leaks after unencrypted backup tapes were misplaced during transport. Corporations have lost valuable intellectual property to insiders who exfiltrated data on small USB drives. Law enforcement organizations have lost case evidence because of improperly handled media in courier transit. Retailers have been fined when discarded hard drives containing customer data were found intact in public waste facilities. Each of these cases reveals that storage media, despite its simplicity, can undermine the integrity of an entire information security program when left unchecked.

The handling of cloud-based equivalents — virtual storage media — deserves equal attention. Services like shared drives or cloud file repositories behave like digital removable media, allowing easy download, duplication, and transfer of sensitive data. Policies should define acceptable use, sharing permissions, and retention limits for these services just as strictly as for physical media. Encryption at rest and in transit, access control, and monitoring are essential for ensuring that data does not leak through convenience features. As organizations migrate toward cloud storage, recognizing this equivalence prevents old risks from reappearing in new forms.

Training once again plays a critical role in reinforcing control effectiveness. Employees must know when and how to use approved storage media, how to recognize tamper-evident packaging, and what to do if a device goes missing. Awareness campaigns should stress that “small doesn’t mean harmless” — even a single lost USB stick can contain thousands of records. Demonstrations of media destruction or secure erasure help make the process tangible and memorable. Regular refreshers remind staff that these precautions aren’t one-time actions but continuous habits that reflect professional discipline.

Integration between Annex A.7.9 and A.7.10 creates a seamless security posture that spans both mobility and data portability. Off-premises asset controls secure the devices themselves, while storage media controls secure the information they carry or transfer. Together, they form a chain of custody for digital assets — a framework ensuring that whether data is on a laptop, a USB drive, or in transit across borders, it remains consistently protected. This integration also supports compliance, as auditors can trace information protection measures across both the user and the medium.

When implemented together, these controls create tangible business value beyond compliance. Reduced incidents of data loss mean fewer investigations, lower insurance premiums, and stronger customer trust. Staff gain confidence that their tools are secure, enabling productivity without constant fear of mistakes. Leadership gains measurable assurance that sensitive data is managed responsibly across all operational contexts. The result is an organization that can embrace flexibility without sacrificing control — a modern security posture aligned to today’s mobile and digital realities.

Annex A.7.9 and A.7.10 both emphasize verifiable, everyday discipline. Security doesn’t rely solely on encryption algorithms or policies written in binders; it lives in the ordinary actions of staff who lock their laptops, encrypt their drives, and verify packaging before shipping media. Auditors and regulators can see the evidence of these actions because they leave physical and digital footprints — inspection logs, chain-of-custody forms, or destroyed hardware certificates. This visibility makes these controls highly auditable and practical, demonstrating that the organization’s security culture is as strong in practice as it is on paper.

By integrating control of mobile devices and storage media, organizations ensure that data remains protected from creation to destruction. When security follows the asset — not the building — the organization achieves resilience that transcends geography and technology. These controls are reminders that cybersecurity extends into the physical world and that the simple act of securing a drive or a device can make the difference between routine operations and a headline-making breach. In environments where data moves faster and farther than ever before, the discipline embedded in Annex A.7.9 and A.7.10 becomes not just best practice but a baseline expectation for trust and accountability.