ISO 27001 Asset Management Policy
In this guide, you will learn what an ISO 27001 Asset Management Policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
- ISO 27001 Asset Management Policy
- What is the ISO 27001 Asset Management Policy
- ISO 27001 Asset Management Policy Example
- How to write an ISO 27001 Asset Management Policy
- How to write an asset management policy free training video
- ISO 27001 Asset Management Policy Walkthrough Video
- ISO 27001 Asset Management Policy Template
- How to Implement BYOD Technical Controls for ISO 27001
- How the ISO 27001 toolkit can help
- Applicability of an ISO 27001 Asset Management Policy to Small Businesses, Tech Startups, and AI Companies
- Information security standards that need an ISO 27001 Asset Management Policy
- List of relevant ISO 27001:2022 controls
- How to Document Secure Asset Disposal for ISO 27001
- Information Asset Owner (IAO) Operational Checklist
- How to Implement a Cloud Asset Inventory for ISO 27001
- How to Integrate Climate Action into ISO 27001 Asset Management
- Technical Comparison: Asset Inventory Tools for ISO 27001 Compliance
- ISO 27001 Asset Management Policy FAQ
What is the ISO 27001 Asset Management Policy
The ISO 27001 Asset Management Policy sets out the guidelines and framework for how identify, protect and manage assets. It covers the entire lifecycle from acquiring the asset, using the asset to ultimately destroying the asst. It ensures the correct assets are identified and protected. We cannot protect what we do not know.
Think of an ISO 27001 Asset Management Policy as a rulebook for all your company’s valuable stuff. This isn’t just about computers and desks; it’s about anything that has value to your business. This includes your customer data, software, intellectual property, and even the skills of your employees. The policy helps you keep track of these assets, protect them from harm, and ensure you know who’s responsible for what. It’s a key part of the ISO 27001 information security standard, which is all about keeping your sensitive information safe.
| Dimension | Requirement & Technical Best Practice |
|---|---|
| Why | Protects the organisation by preventing security incidents, ensuring GDPR compliance, and increasing efficiency through precise asset tracking. |
| When | Establish during the initial ISMS setup. Implement as early as possible to provide a foundation for risk assessment and control selection. |
| Who | Authored by the CISO or IT Manager; however, 100% of staff must understand their personal responsibility for protecting assigned assets. |
| Where | Applies across all operational environments: physical offices, remote working setups, cloud instances, and all digital data storage. |
| How | Provision clear communication, execute mandatory employee training, enforce policy compliance, and conduct annual reviews for continual improvement. |
ISO 27001 Asset Management Policy Example
Here is an extract.
How to write an ISO 27001 Asset Management Policy
To write an ISO 27001 Asset Management Policy, organisations must define the technical scope of information assets, assign individual ownership, and establish a formal classification scheme. This process ensures compliance with Clause 5.9 by documenting the entire asset lifecycle—from procurement and inventory through to secure disposal—providing lead auditors with the required evidence of data integrity and availability.
1. Define Technical Asset Scope and Purpose
Formalise what an “asset” is for your specific business environment. Provision a scope that encompasses all physical hardware (servers, laptops), virtual resources (cloud instances, databases), and intangible intellectual property (patents, software code). Clearly state that the purpose of the policy is the identification and managed protection of these assets across all business functions.
2. Assign Ownership and Individual Accountability
Assign every asset to a specific individual, job role, or team. Asset owners are technically accountable for ensuring assets are inventoried, classified, and handled in accordance with the Information Classification Policy. While routine tasks may be delegated, the formal responsibility for the asset’s security remains with the designated owner.
3. Inventory Physical and Virtual Assets
Establish a documented inventory for all processing devices. For every item, record the asset name, owner, and importance. For physical hardware, you must additionally provision fields for asset numbers, serial numbers, current usage status, and the date of the last technical health check to satisfy audit requirements for physical security.
4. Catalogue Data and Information Assets
Identify and record all data assets within a dedicated Information Asset Register (IAR). Provision fields for the name of the data controller, categories of data subjects, and data retention periods. For high-rigour compliance, include technical details such as international transfer status, lawful basis for processing (GDPR), and the volume of data processed.
5. Manage Software and Licence Assets
Provision a sub-inventory specifically for software versions and licences. Record whether the software is free or paid, the number of licences purchased versus used, and the precise deployment location. This ensures the organisation avoids legal risks associated with unlicensed software and maintains an accurate Software Bill of Materials (SBOM).
6. Establish Classification and Handling Schemes
Formalise a classification scheme (e.g., Public, Internal, Confidential) based on the asset’s importance to the business. Describe technical handling requirements for each level, such as mandatory full-disk encryption for “Confidential” data, to ensure that protection rigour scales with the level of risk identified.
7. Formalise the Asset Return and Disposal Lifecycle
Provision strict protocols for the return of organisational assets upon termination of employment or contracts. Implement technical procedures to ensure that if personal equipment was used, all company data is securely erased. During notice periods, execute controls to prevent unauthorised copying of company information by departing users.
8. Secure Senior Management Policy Approval
Formalise the policy with a Document Version Control table and a comprehensive contents page. Submit the completed Asset Management Policy to a senior leader or the CISO for formal review and sign-off. This approval provides the governance mandate required to enforce compliance across the organisation.
How to write an asset management policy free training video
ISO 27001 Asset Management Policy Walkthrough Video
ISO 27001 Asset Management Policy Template
The ISO 27001 Asset Management Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
How to Implement BYOD Technical Controls for ISO 27001
To implement BYOD technical controls within an ISO 27001 framework, organisations must formalise a registration process, enforce Mobile Device Management (MDM) enrollment, and provision technical containerisation. This ensures that 100% of corporate data remains secured and wipeable without compromising employee privacy on personal hardware, satisfying the high-rigour demands of Annex A 7.9 and 8.1.
1. Formalise Device Registration and User Agreements
Provision a formal registration workflow where employees must declare personal devices used for business. Execute a signed BYOD Agreement that grants the organisation the technical right to manage corporate data on the device, ensuring a clear legal and technical mandate for security enforcement.
2. Enforce Mandatory MDM Enrollment
Execute a technical policy that mandates Mobile Device Management (MDM) enrollment for any device accessing corporate resources. Provision “Compliance Check” gates that block access to email or SaaS tools if the device is jailbroken, lacks a PIN, or has outdated firmware.
3. Provision Technical Data Containerisation
Implement technical containerisation (e.g., Work Profiles or Managed Apps) to create a logical partition between personal and corporate data. This ensures that the organisation can apply strict IAM roles and encryption to business data while remaining technically unable to access the user’s personal photos or messages.
4. Automate Selective Remote Wipe Protocols
Formalise an automated workflow for selective remote wipes. Provision the technical capability to delete 100% of corporate data from a personal device immediately upon an employee’s termination or if the device is reported lost, ensuring zero data leakage without affecting the user’s personal files.
| BYOD Risk Scenario | Technical Control | Audit Evidence Required |
|---|---|---|
| Unmanaged Data Leakage | Containerisation & Managed Open-In. | MDM Policy configuration logs showing data restriction. |
| Insecure Device Access | MFA & Endpoint Posture Checks. | System logs proving MFA is required for all BYOD logins. |
| Termination Data Retention | Selective Remote Wipe. | Archive of “Certificate of Deletion” from MDM console. |
| Theft/Loss Availability | Full-Disk Encryption & Cloud Backup. | Screenshot of MDM dashboard showing 100% device encryption. |
How the ISO 27001 toolkit can help
The ISO 27001 toolkit is a collection of pre-written documents, policies, and templates. It’s like having a security expert guide you through the process. The toolkit provides you with a ready-made Asset Management Policy that you can easily adapt to your company, saving you a ton of time and effort.
| Feature | HighTable ISO 27001 Toolkit | Online SaaS Platforms |
|---|---|---|
| Data Ownership | Total. You keep your policy files and asset registers forever. You own the IP, not the tool vendor. | Conditional. You are effectively “renting” your compliance. Access is revoked the moment you stop paying. |
| Operational Simplicity | Instant. Built on industry-standard Word and Excel. No complex software to learn; your team is productive from day one. | Complex. Requires extensive staff training to navigate proprietary dashboards and vendor-specific workflows. |
| Total Cost of Ownership | Fixed. A one-off investment. No hidden fees, no per-user seats, and no recurring “SaaS Tax.” | Variable. Expensive monthly or annual subscriptions that scale with your headcount, creating long-term budget strain. |
| Vendor Freedom | 100%. No vendor lock-in. Your documentation is portable. Move your ISMS anywhere at any time without friction. | Locked. Exporting data from SaaS platforms is notoriously difficult, making it technically “sticky” and hard to leave. |
| Audit Readiness | Lead Auditor Approved. Standard formats that auditors are familiar with and can review offline without proprietary logins. | Dependency. Auditors must be given access to the platform, creating additional security and administrative overhead. |
Applicability of an ISO 27001 Asset Management Policy to Small Businesses, Tech Startups, and AI Companies
| Sector | Strategic Benefit | Implementation Example |
|---|---|---|
| Small Businesses | Provides a smart, organised framework to protect critical information like customer lists and financial records without requiring a massive budget. | Classifying a customer list as “confidential” to ensure it is never shared externally without formal management approval. |
| Tech Startups | Secures the “lifeblood” of the company—code and intellectual property—to build competitive edge and investor trust. | Storing source code in encrypted repositories with limited access and formalising access revocation for departing developers. |
| AI Companies | Safeguards high-value models, training data, and algorithms that are subject to strict privacy rules and proprietary value. | Ensuring training datasets are anonymised and encrypted, with access restricted solely to authorised data scientists. |
Information security standards that need an ISO 27001 Asset Management Policy
This asset management policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
| Standard / Regulation | Requirement & Technical Context |
|---|---|
| ISO 27001 | The core international standard requirement under Clause 5.9 for identifying, documenting, and protecting information assets. |
| GDPR | Mandates an inventory of processing activities (ROPA), requiring clear identification of where personal data assets are stored and handled. |
| CCPA | Requires safeguarding consumer privacy through systematic asset identification and the implementation of reasonable security procedures. |
| DORA | Essential for financial sector operational resilience, requiring detailed mapping of critical ICT assets and third-party dependencies. |
| NIS2 | Enhances supply chain security and risk management requirements, mandating strict asset governance for essential and important entities. |
| SOC 2 | Forms a key component of the Trust Services Criteria (TSC) regarding how an organisation identifies and manages its technical inventory. |
| NIST | Aligned with the NIST Cybersecurity Framework (CSF) ‘Identify’ function, focusing on asset management as the foundation of risk strategy. |
| HIPAA | Required for protecting PHI (Protected Health Information) through formal administrative safeguards and rigorous device and media controls. |
List of relevant ISO 27001:2022 controls
The ISO 27001 standard has specific controls that relate to asset management. Here are a few key ones:
| ISO 27001:2022 Control | Implementation Objective & Linkage |
|---|---|
| Annex A 5.9 | Inventory of information and other associated assets: Identification and documentation of all technical resources to ensure 100% visibility of the ISMS perimeter. |
| Annex A 5.10 | Acceptable use of information and other associated assets: Formalisation of rules and technical handling protocols for all staff and third-party users. |
| Annex A 5.11 | Return of assets: Managed decommissioning and technical recovery of hardware and data sets upon termination of employment or contracts. |
| Annex A 7.9 | Security of assets off-premises: Technical protection and physical security requirements for organisational assets used in remote or mobile environments. |
How to Document Secure Asset Disposal for ISO 27001
To provide auditable evidence of secure asset disposal, organisations must maintain a formal Asset Disposal Log that links decommissioned hardware to verified sanitisation outcomes. This process ensures that 100% of corporate data is unrecoverable, satisfying the strict requirements of Annex A 7.14 and providing Lead Auditors with the “Chain of Custody” needed for certification.
1. Formalise Data Sanitisation Standards
Define the technical method used for data destruction based on the asset’s classification. For Confidential data, execute a NIST 800-88 compliant “Purge” or “Destroy” method. Ensure that software-based wiping (e.g., Blancco) provides a tamper-proof record of the binary-level overwrite for every individual sector.
2. Execute Witnessed Physical Destruction
Provision a process for witnessing the physical destruction of high-sensitivity storage media (HDDs, SSDs, Flash). If using a third-party vendor, execute a contract that mandates an on-site shredding process or a secure, tracked transit route to a destruction facility to prevent mid-transit data theft.
3. Archive formal Certificates of Destruction (CoD)
Collect and archive a Certificate of Destruction (CoD) for every batch of assets. The CoD must include the asset’s unique serial number, the date of destruction, and the technical method used. This document is the primary artifact requested by auditors to verify the final stage of the asset lifecycle.
4. Update the Information Asset Register (IAR)
Execute a final update to the Information Asset Register to mark the asset as “Disposed.” Provision a cross-reference link in the register pointing to the specific Disposal Log entry or Certificate of Destruction, ensuring a closed-loop audit trail from acquisition to grave.
| Artifact Component | Auditor-Required Metadata | Compliance Value |
|---|---|---|
| Asset Identifier | Asset Tag ID and Manufacturer Serial Number. | Prevents “Ghost Assets” from remaining in the active inventory. |
| Sanitisation Method | NIST 800-88 Clear/Purge, Physical Shredding, or Degassing. | Proves the organisation applied appropriate risk-based protection. |
| Chain of Custody | Name of internal witness or 3rd party vendor ID. | Ensures accountability throughout the disposal transit phase. |
| Proof of Outcome | Certificate of Destruction (CoD) reference number. | Provides the final, legally defensible evidence of data erasure. |
Information Asset Owner (IAO) Operational Checklist
To satisfy ISO 27001 Clause 5.3 and Annex A 5.9, Information Asset Owners (IAOs) must move beyond passive ownership to active lifecycle governance. This checklist defines the mandatory technical tasks required to maintain the Integrity and Availability of organisational assets, providing auditors with evidence of a functioning Information Security Management System (ISMS).
1. Execute Quarterly User Access Reviews (UAR)
Asset owners must conduct a formal review of permissions every 90 days. Provision a technical report of all users with access to the asset and revoke any permissions that are no longer required for the user’s current job role, ensuring the Principle of Least Privilege is strictly enforced.
2. Validate Technical Classification Labels
Verify that the asset is correctly classified according to the Information Classification Policy. IAOs must ensure that technical metadata tags (in cloud environments) or physical labels (on hardware) match the current sensitivity of the data, preventing accidental unauthorised disclosure.
3. Monitor Technical Vulnerability Status
Collaborate with the IT department to monitor the patch status of assigned hardware or software assets. IAOs are responsible for ensuring that critical security updates are executed within the timeframes defined in the Vulnerability Management Policy to mitigate known exploits.
4. Formalise Lifecycle Decommissioning
When an asset reaches the end of its business utility, the IAO must initiate the secure disposal process. Execute the handover to the technical team for sanitisation and ensure a Certificate of Destruction is linked to the asset record before it is removed from the active register.
| Task Category | Mandatory IAO Action | Audit Evidence Generated |
|---|---|---|
| Identification | Confirm asset location and technical format in the IAR. | Timestamped update in the Asset Register. |
| Protection | Approve and review access control lists (ACLs). | Signed User Access Review (UAR) log. |
| Maintenance | Report changes in business importance or risk level. | Risk Assessment update or Change Request. |
| Disposal | Authorise the sanitisation and removal of the asset. | Asset Decommissioning Sign-off form. |
How to Implement a Cloud Asset Inventory for ISO 27001
To implement a compliant ISO 27001 Cloud Asset Inventory, organisations must move beyond manual entry to automated discovery and tagging. This process ensures that ephemeral cloud resources, such as virtual machines, databases, and storage buckets, are identified and protected the moment they are provisioned, satisfying the rigorous technical demands of Annex A 5.9 in a modern DevOps environment.
1. Formalise a Global Resource Tagging Schema
Provision a mandatory tagging policy across all cloud providers (AWS, Azure, GCP). Execute automated “Deny” policies that block the creation of any resource lacking essential metadata, specifically: Owner, Environment (Prod/Dev), and Data Classification. This ensures 100% metadata coverage for every virtual asset.
2. Integrate Infrastructure as Code (IaC) State Files
Utilise Terraform or CloudFormation state files as a primary technical source for your Information Asset Register (IAR). By linking your register to your IaC pipeline, you ensure that the inventory is updated in real-time as resources are provisioned or destroyed, eliminating the risk of “Ghost Assets” or unmanaged Shadow IT.
3. Automate Continuous Resource Discovery
Execute automated discovery tools (e.g., AWS Config or Azure Resource Graph) to detect “Out-of-Band” resource creation. Provision alerts for any asset created manually through the console rather than the approved CI/CD pipeline, allowing the security team to identify and govern unmanaged technical risks immediately.
4. Monitor for Asset Configuration Drift
Establish a technical baseline for cloud asset configurations. Periodically execute drift detection scans to ensure that assets remain in their compliant state. This satisfies the Availability and Integrity requirements of ISO 27001 by preventing unauthorised or accidental changes to critical infrastructure settings.
| Cloud Asset Category | Automated Discovery Method | Auditor-Verified Evidence |
|---|---|---|
| Compute (EC2, Lambda) | IaC Pipeline & Provider APIs. | Terraform State File / CloudTrail Logs. |
| Storage (S3, Blobs) | Policy-as-Code (Guardrails). | Bucket Policy configuration export. |
| Networking (VPCs, SGs) | Resource Graph Queries. | Visual Network Map generated from API metadata. |
| IAM Roles & Secrets | Access Analysers. | Quarterly IAM Credential Report. |
How to Integrate Climate Action into ISO 27001 Asset Management
Lead Auditors are explicitly required to verify that organisations have considered climate change as a threat to the Availability of their information assets. This section provides the technical “Action-Result” framework for integrating climate resilience into your Asset Management lifecycle, ensuring your ISMS is aligned with the most recent version of the standard.
To comply with the ISO 27001:2024 Climate Action Amendment, organisations must evaluate how climate-related risks impact the Availability of information assets. This process involves identifying technical resources in high-risk zones and provisioning infrastructure redundancy to mitigate threats like extreme thermal stress and flooding, satisfying the requirements of Clause 4.1 and Annex A 5.30.
1. Assess Geospatial Asset Risk and Exposure
Execute a geospatial risk assessment for all physical assets (data centres, offices, and server rooms). Identify resources located in regions prone to flooding, wildfires, or extreme heat. Update the Information Asset Register (IAR) with a “Climate Risk Score” to ensure that the most vulnerable technical assets are prioritised for redundancy planning.
2. Enforce Thermal Stress and Longevity Standards
Provision technical environmental controls for physical hardware to counter rising global temperatures. Execute a review of HVAC (Heating, Ventilation, and Air Conditioning) capacity in server rooms to ensure hardware remains within manufacturer-specified operating ranges, preventing premature component failure and service outages caused by thermal throttling.
3. Diversify Cloud Asset Availability Zones
Mitigate regional climate disasters by technically diversifying cloud asset distribution. Provision multi-region or multi-availability zone (AZ) architectures for critical databases and workloads. By ensuring that backup data sets and compute resources are not co-located in the same climate-vulnerable region, you maintain 100% service availability during local environmental crises.
4. Update Disaster Recovery (DR) Climate Scenarios
Execute a formal update to your Disaster Recovery plans to include specific climate-driven scenarios, such as data centre power grid failure during extreme weather. Provision automated failover triggers that move technical assets to “Safe-Haven” infrastructure, providing auditors with evidence of a proactive and resilient Business Continuity Management (BCM) framework.
| Climate Threat | Asset Impact | Technical Mitigation & Evidence |
|---|---|---|
| Extreme Heat Waves | Hardware degradation; Cooling failure. | UPS & HVAC monitoring logs; Redundant cooling arrays. |
| Flood & Storm Surge | Physical destruction; Connectivity loss. | Off-site cloud replication; Geographic DR site testing logs. |
| Grid Instability | Data corruption; Downtime. | Automated failover to secondary Power Provider/SLA logs. |
| Supply Chain Disruptions | Hardware procurement delays. | Strategic spares inventory; Vendor resilience audit reports. |
Technical Comparison: Asset Inventory Tools for ISO 27001 Compliance
| Tool Category | Example Tool | Best For | Auditor Perspective |
|---|---|---|---|
| Manual / Toolkit | HighTable Excel Register | SMEs & Startups seeking rapid, low-cost certification. | High Trust. Auditors love the transparency of Excel; there are no “black box” algorithms hiding data. |
| Open Source | Snipe-IT | Tech-heavy teams requiring basic automation & QR tracking. | Good. Requires proof of self-hosting security and regular backups of the database to satisfy Annex A 5.37. |
| Enterprise ITSM | ServiceNow / Jira Service Management | Large organisations with complex, global supply chains. | Elite. Provides automated “Chain of Custody” logs, though often over-configured for smaller ISMS scopes. |
| Compliance SaaS | Vanta / Drata | Companies wanting automated continuous monitoring. | Conditional. Auditors check if the “Automation” is actually configured to match your specific risk profile. |
ISO 27001 Asset Management Policy FAQ
What is an asset management policy?
An asset management policy is a formal document that lays out the high-level strategy for managing an organisation’s physical and data assets. It serves as a statement of what you do (strategic intent), rather than how you do it (operational procedures). Detailed technical instructions are kept in separate operating documents to ensure the policy remains a stable governance anchor.
What is included in an asset management policy?
An ISO 27001 compliant asset management policy must contain, as a minimum:
- Document Version Control and Contents Page
- Defined Purpose and Scope
- Core Principles and Asset Inventory requirements
- Asset Ownership and Acceptable Use rules
- Return of Assets protocols
- Compliance measurement and Non-Compliance protocols
- Commitment to Continual Improvement
What is the purpose of the asset management policy?
The primary purpose of the asset management policy is the systematic identification and managed protection of assets. By defining what constitutes an asset and who is responsible for it, the policy eliminates “Shadow IT” and ensures that 100% of information processing devices are secured against unauthorised access or loss.
What is the scope of the asset management policy?
The scope of the asset management policy covers all company employees, external contractors, and third-party users. It applies to all organisational information and physical assets, including cloud data, hardware used for remote work, and proprietary intellectual property, ensuring a consistent security posture across the entire ISMS perimeter.
What is the principle behind the asset management policy?
The fundamental asset management principle is that all organisational assets must be known, identified, and managed with appropriate technical protections in place. This lifecycle approach ensures that information is secured from initial acquisition through to final secure disposal.
How do you record and manage assets?
Assets are recorded and managed via a formal Information Asset Register (IAR). This inventory must identify all processing, storing, and transmitting devices. For every asset, you must record the asset name, the designated owner, its business importance, and its technical classification (e.g. Confidential or Public).
What extra data is needed for physical assets?
For physical hardware, auditors expect to see additional technical metadata in your register, including the unique asset/serial number, current usage status, the date of the last technical check, and a functional description of the asset’s role in processing or transmitting data.
Who owns assets and what are they responsible for?
Assets are assigned to specific individuals, roles, or teams known as Asset Owners. These owners are technically accountable for ensuring assets are inventoried, correctly classified, and protected. They must also manage the secure deletion or destruction of the asset in line with the Information Handling Policy, though they may delegate routine maintenance tasks.
Is the asset management policy required for ISO 27001 certification?
Yes, the asset management policy is a mandatory requirement for ISO 27001 certification. It provides the governance framework needed to satisfy Annex A Controls 5.9, 5.10, and 5.11, which are critical for passing a Stage 2 certification audit.
Why is IT asset management important?
IT asset management (ITAM) is critical because you cannot secure what you do not know. 65% of security breaches involve unmanaged assets. Having an effective lifecycle—from purchase to disposal—allows you to apply consistent technical controls, reduce financial waste, and protect the data on which your business relies.
What is the difference between an asset and a resource?
In ISO 27001, an asset is something of specific value that you own or control (like a database), while a resource is a broader term for tools, funding, or personnel used to achieve a task. Your policy focuses on protecting assets to ensure business continuity.
What happens if we lose an asset?
The policy must include a response plan for lost assets, such as immediate reporting to the IT department. Technical controls like Remote Wipe (MDM) should be triggered immediately to prevent data leakage from lost hardware like encrypted laptops or mobile devices.
How often is the asset management policy reviewed?
The policy must be reviewed after any significant technical change and at least annually. This ensures the ISMS remains effective against new threats, such as AI-driven social engineering or infrastructure risks introduced by the 2024 Climate Action Amendment to ISO 27001.
About the author
