ISO 27001 Annex A 5.9 is a security control that mandates the identification and maintenance of a comprehensive record of information assets. The primary implementation requirement involves establishing a master inventory with assigned owners, delivering the business benefit of enhanced risk management and complete asset accountability across the entire ISMS scope.

Auditing the inventory of information and other associated assets ensures that an organisation maintains a complete, accurate, and accountable record of all resources within the Information Security Management System (ISMS) scope. This process is vital for risk management, as it ensures that every asset is identified, classified, and assigned a responsible owner to prevent data leakage or loss.

1. Formalise the Master Asset Register (MAR)

Inspect the centralised inventory to ensure it captures all information, software, physical, and service-based assets.
Verify that the register includes critical metadata such as asset name, description, and physical or logical location.
Requirement: Provision a Master Asset Register that acts as the single source of truth for all organisational assets.

2. Audit Asset Ownership and Accountability

Cross-reference assets in the register with specific individuals or IAM roles to ensure every asset has a designated owner.
Validate that owners are aware of their responsibilities regarding asset protection and classification.
Requirement: Assign accountability to ensure that assets are managed throughout their lifecycle.

3. Verify Unique Asset Identification

Audit physical assets for unique identification tags or serial numbers that match the records in the MAR.
Check that virtual assets, such as cloud instances or databases, have unique naming conventions or resource IDs.
Requirement: Provision unique identifiers to enable precise tracking and auditing of individual assets.

4. Review Information Classification and Valuation

Examine the classification labels applied to information assets to ensure they align with the organisation’s Data Classification Policy.
Verify that the valuation of assets is documented, reflecting their importance to business continuity.
Requirement: Formalise a classification scheme to apply appropriate security controls based on asset sensitivity.

5. Audit Software and Virtual Asset Inventories

Compare the list of authorised software against active installations on corporate workstations and servers.
Check for unauthorised or unlicensed software that could introduce security vulnerabilities.
Requirement: Provision a software inventory that includes versioning, licensing details, and patch status.

6. Validate Network and Infrastructure Mapping

Inspect network diagrams and configuration management databases (CMDB) to ensure hardware like routers and firewalls are inventoried.
Verify that all endpoints, including remote devices, are captured within the scope of the asset management process.
Requirement: Map the technical infrastructure to identify potential security gaps or unmanaged “Shadow IT” devices.

7. Audit Rules of Engagement (ROE) for Third-Party Assets

Review ROE documents and contracts for assets owned by third parties but used by the organisation.
Ensure that the inventory clearly distinguishes between internally owned assets and those provided by vendors.
Requirement: Formalise the tracking of external assets to ensure they meet internal security standards.

8. Inspect Asset Lifecycle and Review Frequency

Verify that the Asset Register is reviewed and updated at least annually or following significant infrastructure changes.
Check the audit logs for the MAR to confirm that regular reconciliation exercises have been performed.
Requirement: Document the review process to maintain the accuracy and relevance of the inventory over time.

9. Audit Secure Asset Disposal and Decommissioning

Examine records for decommissioned assets to verify that sensitive data was securely erased or destroyed.
Cross-reference disposal certificates with the MAR to ensure the status has been updated to “Disposed.”
Requirement: Revoke access and update the register immediately upon the end-of-life of any asset.

10. Evaluate Multi-Factor Authentication (MFA) for Asset Access

Audit the IAM roles associated with asset management tools to ensure only authorised personnel can modify inventory data.
Verify that MFA is enforced for all administrative access to the Asset Register and associated systems.
Requirement: Secure the integrity of the inventory by preventing unauthorised or anonymous modifications.

ISO 27001 Annex A 5.9 Audit Implementation Matrix

Audit Step	How to Audit	Common Examples
1. Master Asset Register	Verify the existence of a central database containing all asset types.	MAR spreadsheet, CMDB export, Asset Management software logs.
2. Asset Ownership	Sample 10 assets and confirm the listed owner is still active in the HR system.	IAM role reports, HR employee list, Signed ownership forms.
3. Unique Identification	Physically inspect hardware serial numbers against the digital register.	QR code tags, Serial number logs, Asset ID labels.
4. Classification	Check if “Confidential” files in the inventory have corresponding security controls.	Classification tags, Data handling policy, Sensitivity labels.
5. Software Inventory	Perform a software audit on a sample of 5 devices to check for unapproved apps.	Add/Remove programs list, Software license certificates, Intune reports.
6. Infrastructure Mapping	Compare server room physical hardware to the network topology map.	Network diagrams, Server rack layouts, IP address management (IPAM) logs.
7. Third-Party ROE	Review vendor contracts for clauses regarding asset return and inventory.	SLA documents, Supplier ROE agreements, Vendor asset lists.
8. Review Frequency	Examine the “Last Reviewed” date on the Asset Register.	Management review minutes, Version history logs, Internal audit reports.
9. Secure Disposal	Review data wiping logs for 3 laptops retired in the last quarter.	Certificates of destruction, Blancco reports, Physical shredding receipts.
10. MFA and IAM Access	Verify that administrative access to the MAR requires a second factor.	MFA configuration screenshots, IAM privilege logs, Access reviews.

SaaS and GRC Platform Audit Failures

Failure Point	SaaS/GRC Platform Limitation	Audit Risk
Physical Verification	Platforms cannot verify the physical existence or condition of hardware.	Assets are marked “Active” in the tool but have been lost or stolen.
Shadow IT Blindness	GRC tools only see integrated systems, ignoring unmanaged SaaS accounts.	Critical business data is stored in uninventoried, high-risk cloud apps.
Stale API Data	Reliance on API syncs leads to data lag if a connection fails or is misconfigured.	The auditor relies on outdated inventory data, missing recent asset changes.
Generic Classification	Automated tools often use “one-size-fits-all” labels that don’t match business reality.	Highly sensitive data is under-classified and lacks proper protection.
Lack of Owner Context	Platforms often assign “System Admin” as owner instead of a business head.	No individual is truly accountable for the asset’s security lifecycle.
Manual Intervention Gaps	Software cannot audit the “human” element of asset management and disposal.	Policies are ignored in practice despite the platform showing “Green” status.
No Physical Destruction Proof	Tools track status changes but cannot verify the validity of disposal certificates.	Regulatory fines for lack of proof regarding secure media destruction.
False Sense of Security	Dashboards prioritise “ticks” over technical accuracy and rigorous verification.	Security gaps remain hidden behind a facade of automated compliance.
Integration Silos	GRC tools struggle to reconcile data from multiple, non-compatible sources.	The inventory is fragmented, leading to duplicated or missing asset records.
Over-Reliance on Automation	Personnel stop performing manual checks, trusting the software implicitly.	Critical errors in the logic of the automation go unnoticed for months.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.