Back

Prohibit assets from being taken off-site absent prior authorization.


CONTROL ID
12027
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain asset removal procedures or asset decommissioning procedures., CC ID: 04540

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Equipment, information or software shall not be taken off-site without prior authorization. (A.11.2.5 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it… (§ 11.2.5 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Equipment, information or software should not be taken off-site without prior authorization. (§ 11.2.5 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)