You cannot control what you do not know so the ISO 27001 physical asset register is the register of all things that store, transmit or process data. There are some key things to record about assets.
Think of it as a detailed list of all your company’s physical stuff. It’s a key part of keeping your business’s information safe and sound, especially if you’re aiming for an ISO 27001 certification.
Shadow Asset Discovery: Are you missing these?
Auditors frequently find “Shadow Assets” that aren’t on the register. Check these 5 categories instantly to ensure Annex A 5.9 compliance:
- Intangibles: Proprietary algorithms, brand reputation, and source code.
- SaaS Accounts: Slack, Trello, or Jira instances used by specific teams.
- Removable Media: Encrypted backup drives or technical hardware tokens.
- Virtual Assets: API Keys, SSL Certificates, and Domain Names.
- BYOD: Personal phones or laptops used to access company email.
Lead Auditor Tip: If you checked more than 2, your current register is technically non-compliant. Secure these assets to avoid a Major Non-Conformity.
Table of contents
- What is the ISO 27001 Physical Asset Register?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- How to implement the ISO 27001 asset register
- How to create an ISO 27001 Asset Register Video Tutorial
- ISO 27001 Asset Register Template
- How the ISO 27001 Toolkit Can Help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- How to Discover Shadow IT Assets for ISO 27001
- ISO 27001 Asset to Risk Traceability Matrix
- ISO 27001 Asset to Risk Traceability Matrix
- ISO 27001 Asset Classification & Handling Matrix
- ISO 27001 BYOD & Remote Asset Governance Matrix
- ISO 27001 Storage Media Management Matrix
- ISO 27001 Physical Asset Register FAQ
What is the ISO 27001 Physical Asset Register?
A Physical Asset Register is just a fancy name for an inventory of all your physical assets. We’re talking about things you can touch and see. This isn’t just a list, though; it’s a way to keep track of who uses what, where it’s located, and how important it is. It’s an essential document for showing you’re serious about protecting your assets.
| Compliance Aspect | Strategic Description & Purpose | Technical Application & Technical Scope |
|---|---|---|
| Why You Need It | Demonstrates technical oversight to auditors. It facilitates risk identification, theft prevention, and lifecycle maintenance tracking. | Annex A 5.9 Compliance & Risk Management |
| When You Need It | Required from the point of hardware procurement. It is a fundamental component for achieving and maintaining ISO 27001 certification. | Asset Onboarding & ISMS Planning |
| Where You Need It | Applicable to every physical and virtual item that supports business operations, including laptops, servers, routers, and secure access keys. | Comprehensive Infrastructure Inventory |
| How to Write It | Construct a centralised register (spreadsheet or tool) capturing Asset Name, Unique ID, Location, Responsible Owner, and Business Importance Level. | Asset Classification & Accountability Mapping |
Applicability to Small Businesses, Tech Startups, and AI Companies
This asset register is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
| Organisation Type | Strategic Benefit & Compliance Value | Practical Inventory Examples |
|---|---|---|
| Small Businesses | Vital for tracking even limited hardware suites. Ensures foundational protection for customer data stored on local laptops and servers. | Individual developer laptops mapped to specific users, unique asset IDs for hardware, and physical location logs for on-site servers. |
| Tech Startups | Builds a scalable security culture by accounting for physical innovation infrastructure and facility security systems. | High-performance developer workstations, server racks located in co-location facilities, and biometric office access control systems. |
| AI Companies | Critical for protecting high-capital core business assets including machine learning hardware and massive storage arrays. | Specialised GPU clusters (High-end graphics cards), dedicated servers for AI model training, and high-speed network interconnects. |
How to implement the ISO 27001 asset register
To implement an ISO 27001 asset register, you must identify every physical and virtual item that processes information. This formalised inventory satisfies Annex A 5.9 and 5.10, ensuring that technical accountability and acceptable use rules are enforced across your entire infrastructure for 2026 certification audits.
Step 1: Define Inventory Scope and Categories
Provision a centralised list to categorise all hardware, software, and information assets within the ISMS boundary. This prevents “Shadow Assets” from creating unmanaged security risks.
- Action: Audit server rooms, cloud consoles, and HR equipment logs.
- Result: A formalised categorisation of assets including laptops, cloud instances, and proprietary datasets.
Step 2: Assign Technical and Business Ownership
Formalise accountability by assigning a specific owner to every asset entry. Owners are responsible for the security maintenance and lifecycle of the items they control.
- Action: Map assets to specific IAM roles or department heads in the register.
- Result: Clear accountability that satisfies the auditor’s requirement for asset governance.
Step 3: Classify Asset Criticality and CIA Values
Determine the importance of each asset based on Confidentiality, Integrity, and Availability (CIA). This classification dictates the level of technical protection required.
- Action: Assign “High”, “Medium”, or “Low” tags based on data sensitivity levels.
- Result: A prioritised risk profile that informs your Statement of Applicability (SoA).
Step 4: Establish Acceptable Use Policies
Link every asset class to an Acceptable Use Policy (AUP) to satisfy Annex A 5.10. Users must know the technical constraints for handling company assets.
- Action: Distribute usage guidelines and require MFA for all virtual asset access.
- Result: Reduced internal threat profile and documented proof of user compliance.
Step 5: Define Secure Disposal Procedures
Revoke access and sanitise hardware when assets reach end-of-life. You must prove to auditors that data remains protected during equipment decommissioning.
- Action: Provision secure wipe protocols and collect serialised destruction certificates.
- Result: A closed-loop lifecycle that prevents accidental data leakage.
How to create an ISO 27001 Asset Register Video Tutorial
ISO 27001 Asset Register Template
The ISO 27001:2022 Physical Asset Register Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
How the ISO 27001 Toolkit Can Help
Instead of starting from scratch, you can get a head start with an ISO 27001 toolkit. This includes pre-made templates for things like your physical asset register. They can save you tons of time and make sure you’ve got all the right fields and information to comply with the standard.
| Strategic Factor | HighTable ISO 27001 Toolkit | Online SaaS Platforms |
|---|---|---|
| Data Ownership | Permanent Sovereignty: You own your asset register files forever. You host them on your own secure infrastructure; you never “rent” your compliance data. | Conditional Access: Your data is hosted on third-party servers. If you stop paying the subscription, you typically lose access to your audit evidence. |
| Operational Simplicity | Instant Adoption: Built on industry-standard Excel and Word. Every team member is already proficient, requiring zero hours of specialist software training. | High Learning Curve: Requires extensive team onboarding to navigate proprietary interfaces and rigid, non-standardised workflows. |
| Total Cost of Ownership | Fixed Capital Expense: A transparent, one-off fee. There are no hidden costs, seat-based pricing, or inflationary annual price hikes. | Compounded Operational Expense: Expensive monthly or annual subscriptions that accumulate over time, often costing thousands more over a 3-year cycle. |
| Vendor Freedom | Zero Lock-in: Your ISMS is completely portable. You can move, edit, or migrate your asset register without technical barriers or “export fees.” | Proprietary Lock-in: Migration is intentionally difficult. Switching providers often requires manual data re-entry and significant technical friction. |
Information security standards that need it
This asst register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
| Standard / Regulation | Framework Category | Inventory Requirement Summary |
|---|---|---|
| ISO 27001 | International Standard (ISMS) | Mandatory inventory of information and associated assets under Annex A 5.9. |
| GDPR | Statutory Regulation (UK/EU) | Requirement to maintain a Record of Processing Activities (ROPA) and hardware oversight. |
| CCPA | Statutory Regulation (US) | Mandates data mapping and inventory of consumer personal information assets. |
| DORA | Financial Regulation (EU) | Strict requirements for the register of ICT assets and third-party service dependencies. |
| NIS2 | Critical Infrastructure Directive | Enhanced inventory management for essential and important entities across member states. |
| SOC 2 | Attestation Framework | Trust Services Criteria require the identification of all system components and assets. |
| NIST | Security Framework (US) | The ‘Identify’ function prioritises physical and software asset inventory (ID.AM). |
| HIPAA | Healthcare Regulation (US) | Mandates a hardware and electronic media inventory for PHI protection. |
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to a physical asset register. Some of the most important ones include:
| Control Reference | Control Title & Implementation Link | Technical Requirement Summary |
|---|---|---|
| Annex A 5.9 | Inventory Of Information And Other Associated Assets | Mandates a formalised record of all information assets to ensure accountability and technical lifecycle management. |
| Annex A 5.10 | Acceptable Use Of Information And Other Associated Assets | Requires documented rules and technical constraints for personnel handling physical and virtual infrastructure. |
| Annex A 5.11 | Return Of Assets | Ensures that all hardware and storage media are successfully returned and decommissioned upon termination of employment. |
| Annex A 7.9 | Security Of Assets Off-Premises | Focuses on the technical protection of assets (laptops, mobile devices, media) while utilised outside the organisational perimeter. |
How to Discover Shadow IT Assets for ISO 27001
Shadow IT Discovery: Finding Assets You Forgot to Record
A primary audit failure is failing to account for “Shadow Assets”—technology used by employees without formal IT oversight. If these assets process company data, they must be in your Annex A 5.9 register. Check these four high-risk categories to ensure your inventory is auditor-ready:
- Departmental SaaS Accounts: Marketing, Sales, or HR tools (e.g., Canva, Calendly, or Monday.com) purchased on corporate cards but not integrated with SSO.
- Development “Side-Projects”: Testing servers in personal AWS/Azure accounts or unmanaged GitHub repositories containing proprietary source code.
- Ephemeral Cloud Instances: Virtual machines or Docker containers spun up for a task and forgotten, still connected to the production network.
- Physical IoT Devices: Smart TVs in boardrooms, Wi-Fi-enabled printers, or office security cameras that transmit data across your infrastructure.
Lead Auditor Tip: I always check the company’s Expense Logs against the Asset Register. If I see a subscription for a data-processing tool that isn’t on your list, you will receive a non-conformity. Use your finance records to find hidden virtual assets.
ISO 27001 Asset to Risk Traceability Matrix
Traceability: Linking Assets to Clause 6.1.2 Risk Assessment
In a high-maturity ISMS, your Asset Register (Annex A 5.9) and your Risk Assessment (Clause 6.1.2) are technically inseparable. Every asset identified in your inventory represents a potential target for threats. To achieve certification, you must demonstrate a clear line of traceability from the asset to its evaluated risk and final technical control.
| Asset Class (5.9) | Threat Scenario | Risk Assessment Link (6.1.2) | Technical Control (Annex A) |
|---|---|---|---|
| Cloud Infrastructure | Unauthorised access / Data breach | ID: RISK-04 (High Impact) | 8.15 (Logging) & 5.17 (Authentication) |
| Developer Laptops | Physical theft / Malware injection | ID: RISK-12 (Medium Impact) | 8.1 (User End Point Devices) |
| Proprietary Code | Intellectual Property (IP) theft | ID: RISK-07 (Critical Impact) | 5.32 (IP Rights) & 8.33 (Source Code) |
| Customer PII | Regulatory non-compliance (GDPR) | ID: RISK-01 (High Impact) | 5.31 (Legal Requirements) |
Lead Auditor Tip: During a Stage 2 audit, I will pick a random asset from your register and ask: “Where is the risk assessment for this item?” If you cannot show a direct link to your risk register, you are failing Clause 6.1.2(b). Your Asset Register is the map; your Risk Assessment is the shield.
ISO 27001 Asset to Risk Traceability Matrix
In a high-maturity ISMS, your Asset Register (Annex A 5.9) and your Risk Assessment (Clause 6.1.2) are technically inseparable. Every asset identified in your inventory represents a potential target for threats. To achieve certification, you must demonstrate a clear line of traceability from the asset to its evaluated risk and final technical control.
| Asset Class (5.9) | Threat Scenario | Risk Assessment Link (6.1.2) | Technical Control (Annex A) |
|---|---|---|---|
| Cloud Infrastructure | Unauthorised access / Data breach | ID: RISK-04 (High Impact) | 8.15 (Logging) & 5.17 (Authentication) |
| Developer Laptops | Physical theft / Malware injection | ID: RISK-12 (Medium Impact) | 8.1 (User End Point Devices) |
| Proprietary Code | Intellectual Property (IP) theft | ID: RISK-07 (Critical Impact) | 5.32 (IP Rights) & 8.33 (Source Code) |
| Customer PII | Regulatory non-compliance (GDPR) | ID: RISK-01 (High Impact) | 5.31 (Legal Requirements) |
Lead Auditor Tip: During a Stage 2 audit, I will pick a random asset from your register and ask: “Where is the risk assessment for this item?” If you cannot show a direct link to your risk register, you are failing Clause 6.1.2(b). Your Asset Register is the map; your Risk Assessment is the shield.
ISO 27001 Asset Classification & Handling Matrix
Your Asset Register is technically incomplete without a defined classification schema. Under Annex A 5.12, you must categorise assets based on their sensitivity to ensure appropriate levels of protection are applied. Use the following criteria to standardise your inventory labels:
| Classification Label | Technical Description & Criteria | Mandatory Handling Controls |
|---|---|---|
| Restricted / Critical | Assets containing “Crown Jewel” IP, root encryption keys, or regulated health data (PHI). | MFA + Hardware Security Module (HSM) + Monthly Access Audit. |
| Confidential | Standard customer PII, internal financial records, and proprietary source code. | Encryption at Rest/Transit + RBAC + Signed NDA. |
| Internal | Employee handbooks, non-sensitive project plans, and company-wide communications. | Standard Corporate IAM + Secure VPN Access. |
| Public | Marketing materials, published whitepapers, and public website hardware. | No specific integrity controls required beyond standard server hardening. |
Lead Auditor Tip: If I see every asset marked as “Confidential” by default, I know you haven’t performed a real classification exercise. Effective classification allows you to focus your security budget on the Restricted assets that actually matter. Ensure your physical labels (asset tags) match these register entries.
ISO 27001 BYOD & Remote Asset Governance Matrix
Managing assets in a remote environment requires a transition from physical location tracking to Technical State Management. Under Annex A 6.7, you must implement measures to protect information accessed, processed, or stored at remote sites. If your staff use personal devices for work (BYOD), those devices must be governed by your register.
- MDM Enrollment: All remote assets (Company or BYOD) should be enrolled in Mobile Device Management (MDM) to enforce encryption and allow for remote wipes.
- Virtual Identification: Assign a unique ID to the “Virtual Instance” of a user’s workspace, not just the physical hardware.
- Endpoint Verification: Use Zero-Trust principles to verify the security posture of an asset before allowing connection to the corporate VPN or SaaS environment.
- De-provisioning Protocol: Establish a clear technical “Kill Switch” procedure to revoke access to all virtual assets immediately upon employee termination.
| Control Area | Corporate-Owned Asset | BYOD (Personal) Asset |
|---|---|---|
| Asset Registry | Serial Number + Technical Specs | Virtual UUID + User Agreement |
| Access Control | Full Admin Rights for IT | Containerised / Managed App Level |
| Disposal / Termination | Physical Return & Secure Wipe | Remote Revocation & Data Purge |
Lead Auditor Tip: A common 2026 audit failure is the “BYOD Gap.” If your staff use personal phones for Slack or Email, but those phones aren’t on your register and aren’t governed by a Remote Working Policy, you are in breach of Annex A 6.7. Your register must reflect the logical asset, even if you don’t own the physical one.
ISO 27001 Storage Media Management Matrix
Storage Media Governance (Annex A 8.3)
Removable storage media is a high-vulnerability asset class. Under Annex A 8.3, you must implement procedures for the management of removable media in accordance with your classification schema. If an external drive contains Restricted or Confidential data, it must be governed by the following technical controls:
| Media Type | Mandatory Technical Control | Audit Evidence Required |
|---|---|---|
| External SSDs / USBs | AES-256 Bit Encryption (FIPS 140-2 validated). | Encryption status log from Endpoint Management. |
| Physical Backup Tapes | Segregated, fireproof storage with Restricted access. | Access control log for the physical safe/vault. |
| Optical Media (CD/DVD) | Strict prohibition or cryptographic signing. | Acceptable Use Policy (AUP) sign-off. |
| Decommissioned Media | Serial-matched physical destruction (Shredding). | Serialised Certificate of Destruction (CoD). |
Lead Auditor Tip: One of the fastest ways to fail a Stage 2 audit is to have unencrypted USB drives found in a desk drawer. Your Physical Asset Register must explicitly state whether removable media is “Active” or “In Storage,” and your technical policy should mandate cryptographic erasure before any media is repurposed or disposed of.
ISO 27001 Physical Asset Register FAQ
What is an ISO 27001 physical asset register used for?
An ISO 27001 physical asset register is used to record the physical devices that store, process or transmit data through an organisation. It records key control information because we cannot protect what we do not know about; therefore, we must record all devices to ensure 100% visibility across the ISMS.
How does an information security asset register differ from an accounting asset register?
An information security asset register only includes assets that process, store or transmit data. In contrast, an accounting asset register is a list of all fiscal assets and includes non-technical items such as screens, chairs, desks, and computer mice, which do not carry the same security risk profile.
What does an ISO 27001 physical asset register contain?
It contains a list of assets that process, store or transmit data along with control information: who owns the asset, its purpose, data processed, classification, criticality, physical characteristics, last review date/reviewer, and the current status of encryption and anti-virus software.
Where can I download an ISO 27001 physical asset register template?
An ISO 27001 physical asset register template can be downloaded from High Table: The ISO 27001 Company. This template is pre-configured to meet Annex A 5.9 requirements for technical audits.
What is the best format for an ISO 27001 physical asset register?
A spreadsheet works best for an ISO 27001 physical asset register (XLS/XLSX). This format allow for easy sorting, filtering by owner or review date, and simple integration into Risk Assessments (Clause 6.1.2) without the complexity of proprietary software.
What if I lose an item?
If an item is lost, you must mark it as “lost” in your register immediately, note the date, and initiate a search or incident response procedure. This provides a clear audit trail of the loss and triggers necessary security actions like remote wipes.
Does my physical asset register need to be digital?
No, it can be on paper, but a digital spreadsheet is significantly easier to manage, update, and secure. For ISO 27001 compliance, digital records provide better version control and accessibility during external audits.
What’s the difference between this and a regular inventory list?
This register is specifically focused on information security and is a mandatory requirement of the ISO 27001 standard. A regular inventory list tracks quantity and cost, whereas a security register tracks protection, ownership, and technical risk.
Do I need to track office furniture?
Not usually, unless the furniture holds a significant volume of sensitive information, such as a high-security filing cabinet. ISO 27001 focuses on the assets that present a risk to the Confidentiality, Integrity, or Availability of data.
Should I include software in this register?
No, software is documented in a different register. This inventory is dedicated exclusively to “physical stuff”—the hardware and tangible equipment that forms your infrastructure.
How often should I update the asset register?
You should update your register every time you add or remove an asset. Real-time updates are industry best practice, as statistics show 25% of audit failures occur due to “forgotten” hardware that was decommissioned but never removed from records.
What if an item is off-site?
You still track it and note its location, such as “Home Office” or “Remote.” Annex A 7.9 specifically requires the protection of assets off-premises, so documenting their location is vital for compliance.
Can one person manage the whole register?
Yes, but it is good business practice to have a backup person who understands the workflow. This ensures business continuity and prevents a single point of failure within your ISMS governance structure.
What if I have too many items?
You can group similar items together, such as “Dell Laptops (x15),” but for high-value or high-risk items, it is better to list each one separately with its own unique ID to ensure granular accountability.
What if a piece of equipment is old?
You must still track it! Even old equipment can be a security risk if it stores data or connects to your network. Tracking ensures it is properly sanitised and disposed of at the end of its lifecycle.
What if someone leaves the company?
You would update the owner field in the register and ensure the asset is successfully returned. This satisfies Annex A 5.11 (Return of Assets), which is a key check during termination of employment audits.
What if my company is all remote?
You still need to track all the equipment you have provided to your employees. Physical boundaries do not negate the requirement for an inventory; in fact, remote operations make a digital asset register even more critical.