If you want to make an Information Security Manager sweat, ask to see their Asset Inventory. It is the one document that is almost guaranteed to be out of date the moment it is saved.
For an auditor, Annex A 5.9 (formerly A.8.1.1 in the 2013 version) is a goldmine. It is the thread that, when pulled, often unravels the entire Information Security Management System (ISMS). If an organization doesn’t know what it has, it cannot possibly know if it is secure.
However, auditing the 2022 version of this control requires a shift in mindset. We aren’t just counting desktop computers anymore. We are looking for “Information and other associated assets.” Here is a practical guide on how to audit this control effectively, cut through the noise, and find the truth hiding in the spreadsheet.
Table of contents
- The Core Requirement: What Are You Testing?
- Step 1: The “Completeness” Check (Finding the Gaps)
- Step 2: The “Spot Check” (Testing Reality)
- Step 3: Auditing “Ownership” vs. “Custodianship”
- Step 4: The “Information” vs. “Assets” Distinction
- Step 5: Lifecycle Management (Return of Assets)
- Common Non-Conformities to Watch For
- Conclusion
The Core Requirement: What Are You Testing?
The control states that “an inventory of information and other associated assets, including owners, shall be developed and maintained.”
When auditing this, you are testing three specific attributes of the inventory:
- Completeness: Does it cover the whole scope? (Hardware, Software, Cloud, Data).
- Accuracy: Is the data in the list actually true?
- Ownership: Is there a human being responsible for every line item?
Step 1: The “Completeness” Check (Finding the Gaps)
Start by requesting the Asset Register. A common mistake is receiving a list that only contains physical hardware (laptops and servers). In 2024, this is a red flag.
The Auditor’s Test:
Compare the Asset Inventory against the organization’s Network Diagram or SaaS subscription list from Finance.
- If the Finance team is paying for “HubSpot” or “Salesforce,” but those tools are not in the Asset Inventory, you have a finding.
- If the Network Diagram shows a firewall in the London office, but the Inventory lists only “Head Office” equipment, you have a gap.
You are looking for “Shadow IT”—assets that exist in reality but not on paper.
Step 2: The “Spot Check” (Testing Reality)
Never trust the spreadsheet at face value. You need to perform a physical (or virtual) verification. This is the classic auditor move.
Option A: Sheet-to-Floor
Pick 5 random items from the list (e.g., “MacBook Serial #12345”). Ask the auditee to show you that specific device. If they can’t find it, or if it was sold six months ago, the “Maintenance” part of the control has failed.
Option B: Floor-to-Sheet
Pick a random item in the office (or a random server in the AWS console). Ask the auditee to find that item in the Asset Inventory. If it’s missing, the onboarding process is likely broken.
Step 3: Auditing “Ownership” vs. “Custodianship”
Annex A 5.9 explicitly requires “owners.” This is often misunderstood.
The Interview Question:
Pick a dataset, such as the “HR Employee Database.” Point to the “Owner” listed in the register (let’s say it says “IT Manager”).
Ask the IT Manager: “Are you the one who decides who gets access to this data, and how long it is kept?”
If they say, “No, the HR Director decides that; I just manage the server,” then the inventory is wrong. The IT Manager is the Custodian. The HR Director is the Owner. ISO 27001 requires the person with accountability to be listed.
Step 4: The “Information” vs. “Assets” Distinction
The 2022 update places heavy emphasis on Information. A compliant inventory should link the two.
What to look for:
Does the inventory acknowledge that “Customer PII” (Information) is stored on “AWS S3 Bucket” (Associated Asset)?
If the organization only lists the buckets and servers but has no record of the types of data inside them, they are missing the point of the control.
If you encounter an organization struggling to structure this relationship, it is often because they are using rigid, outdated spreadsheets. Hightable.io offers ISO 27001 toolkits with Asset Inventory templates that natively handle the link between information assets and their containers, which helps demonstrate compliance with this specific nuance of the 2022 standard.
Step 5: Lifecycle Management (Return of Assets)
Finally, check the “Maintain” part of the requirement. The best place to check this is in the Offboarding Records (Annex A 5.10).
The Audit Trail:
- Ask for a list of employees who left in the last 3 months.
- Pick one name.
- Check the Asset Inventory to see if their laptop was re-assigned to “IT Stock” or a new user.
- Check if their SaaS accounts (Slack, Email) were marked as “Deactivated” or removed.
If the inventory still lists the laptop as “Assigned to [Terminated Employee],” you have evidence that the inventory is not being maintained.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Common Non-Conformities to Watch For
1. The “Static” List
The “Date Last Updated” on the spreadsheet is 11 months ago. In a dynamic business, this is almost certainly inaccurate.
2. Vague Entries
Entries like “Laptops” (Quantity: 50). This is not an inventory; it’s a summary. You need individual identification (Serial Numbers or Asset Tags) to manage security risks effectively.
3. Ignoring Virtual Assets
The inventory lists the physical server in the basement but ignores the 50 Virtual Machines (VMs) running on it. Since those VMs hold the actual data, they must be inventoried.
Conclusion
Auditing Annex A 5.9 is about verifying visibility. You are checking if the organization has a clear map of its territory. If they don’t know where their assets are or who owns them, every other control—from Access Control to Patch Management—is built on shaky ground.
By focusing your audit on the link between physical assets and the information they hold, and by rigorously testing the ownership and lifecycle processes, you ensure the control is actually delivering value, not just filling a row in a spreadsheet.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
