Free Assessment
physical Preventive Protect

A.7.9 Security of Assets Off-Premises

M365 Admin Path: Microsoft Intune admin center (intune.microsoft.com) > Devices > All devices; Endpoint security > Disk encryption

Evidence Source: Microsoft Graph - Intune Managed Devices (encryption status, user assignment), Manual verification

What is this control?

ISO 27001 control A.7.9 Security of Assets Off-Premises implements controls to prevent loss, damage, theft, or compromise of assets when moved outside the organisation’s physical security perimeter. The control requires designated asset custodians for all off-premises equipment, full-disk encryption via BitLocker or FileVault on all portable devices, remote wipe capability via Intune, physical security procedures for vehicle and public transport, and formal checkout processes.

How to implement in Microsoft 365

Implement A.7.9 by assigning all off-premises assets to a specific designated custodian via Intune primary user assignment or IT Asset Inventory. Enable full-disk encryption using BitLocker for Windows and FileVault for macOS on all portable devices with 95% or higher coverage threshold. Enrol all portable devices in Microsoft Intune to enable remote wipe within hours if theft occurs.

Establish physical security procedures requiring devices never be visible in unattended vehicles, direct control on public transport, and no checked hold luggage on flights. Prohibit family or friend use of organisation devices with business use only.

What an auditor looks for

Auditors will verify device-to-user assignment report from Intune showing 95% or more of portable devices have assigned custodians. They will check encryption status report showing 95% or more of portable devices with BitLocker or FileVault enabled. Auditors will review physical security procedures documentation covering vehicle security, transport security, and family use prohibition.

They will verify shared asset checkout log with dates, custodian names, and destinations. Auditors will check loss or theft incident reports showing remote wipe was initiated when applicable.

  • [A.8.24 (Use of cryptography - BitLocker)](/controls/a-8-24 (use of cryptography - bitlocker)/)
  • [A.7.8 (Equipment siting - remote wipe)](/controls/a-7-8 (equipment siting - remote wipe)/)
  • [A.8.1 (User endpoint devices - compliance)](/controls/a-8-1 (user endpoint devices - compliance)/)

M365 capabilities that implement this control

Microsoft Datacentre Infrastructure Foundation

Microsoft-managed datacentre security including perimeter protection, cabling, and equipment protection