ISO/IEC 27001 Control 5.11: Return of assets

Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

MidPoint can record ownership of devices, tokens and licenses using the concept of "service".

Projection links can be used to link to device/token tracing in external systems (e.g. physical security systems). Micro-certification can be used to "return" assets after organizational change or other significant event. The "return" may be automatically executed (e.g. deprovisioning of account/license), or the micro-certification may be used as a cue for manual action. Similarly, micro-certification or automatic rule (e.g. conditional inducement) can be used to "return" an asset in notice period, to prevent unauthorized access and copying of information. Reporting functionality can be used to list issued/assigned assets. It can also be used for more specific purposes, such as listing all classified assets accessible by users during notice period.

Return of assets is mostly concerned with "hardware", which is outside of MidPoint's scope, midPoint can provide only a couple of supporting features.