In this ultimate how to audit guide to ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Formalise the Master Asset Register (MAR)
- 2. Audit Asset Ownership and Accountability
- 3. Verify Unique Asset Identification
- 4. Review Information Classification and Valuation
- 5. Audit Software and Virtual Asset Inventories
- 6. Validate Network and Infrastructure Mapping
- 7. Audit Rules of Engagement (ROE) for Third-Party Assets
- 8. Inspect Asset Lifecycle and Review Frequency
- 9. Audit Secure Asset Disposal and Decommissioning
- 10. Evaluate Multi-Factor Authentication (MFA) for Asset Access
- ISO 27001 Annex A 5.9 Audit Implementation Matrix
- SaaS and GRC Platform Audit Failures
ISO 27001 Annex A 5.9 is a security control that mandates the identification and maintenance of a comprehensive record of information assets. The primary implementation requirement involves establishing a master inventory with assigned owners, delivering the business benefit of enhanced risk management and complete asset accountability across the entire ISMS scope.
Auditing the inventory of information and other associated assets ensures that an organisation maintains a complete, accurate, and accountable record of all resources within the Information Security Management System (ISMS) scope. This process is vital for risk management, as it ensures that every asset is identified, classified, and assigned a responsible owner to prevent data leakage or loss.
1. Formalise the Master Asset Register (MAR)
- Inspect the centralised inventory to ensure it captures all information, software, physical, and service-based assets.
- Verify that the register includes critical metadata such as asset name, description, and physical or logical location.
- Requirement: Provision a Master Asset Register that acts as the single source of truth for all organisational assets.
2. Audit Asset Ownership and Accountability
- Cross-reference assets in the register with specific individuals or IAM roles to ensure every asset has a designated owner.
- Validate that owners are aware of their responsibilities regarding asset protection and classification.
- Requirement: Assign accountability to ensure that assets are managed throughout their lifecycle.
3. Verify Unique Asset Identification
- Audit physical assets for unique identification tags or serial numbers that match the records in the MAR.
- Check that virtual assets, such as cloud instances or databases, have unique naming conventions or resource IDs.
- Requirement: Provision unique identifiers to enable precise tracking and auditing of individual assets.
