In this ultimate how to implement guide to ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Inventory of Assets Implementation Checklist
- 1. Establish the Master Asset Register
- 2. Execute a Physical Hardware Audit
- 3. Perform Automated Network Discovery
- 4. Audit Cloud Resources via API/Tagging
- 5. Uncover Shadow IT via Financial Records
- 6. Assign Specific Human Owners
- 7. Classify Information Assets
- 8. Map Information to Containers
- 9. Define Asset Return Procedures
- 10. Schedule Quarterly Asset Reconciliations
Implementing ISO 27001 Annex A 5.9 is the strategic foundation of identifying, classifying, and managing a comprehensive Inventory of Assets to ensure complete visibility over the organization’s attack surface. It requires establishing specific ownership for every hardware, software, and data component, enabling effective risk treatment and preventing security gaps caused by Shadow IT or unmanaged resources.
ISO 27001 Inventory of Assets Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.9. Compliance with this control requires a comprehensive, verified list of every hardware, software, and data asset you own, managed in a dynamic register rather than a static GRC placeholder.
1. Establish the Master Asset Register
Control Requirement: An inventory of information and other associated assets, including owners, shall be developed and maintained.
Required Implementation Step: create a centralized ‘Master Asset Register’ using a high-availability spreadsheet (Excel/CSV) or a dedicated IT Asset Management (ITAM) database like Snipe-IT. Do not rely on the ‘Assets’ module of a GRC tool unless it dynamically syncs with your infrastructure. Define columns for: Asset ID, Type, Description, Owner, Location, Classification, and Status.
Minimum Requirement: A single source of truth file named
master-asset-register.xlsxstored in a restricted access folder.
2. Execute a Physical Hardware Audit
Control Requirement: All physical assets must be identified.
Required Implementation Step: Physically walk the floor and audit the server room. Verify that every laptop, server, firewall, and switch has a unique Asset Tag sticker. Cross-reference this physical check against your purchasing records (invoices). If you are remote, require staff to submit a photo of the asset tag on the back of their company-issued laptop.
Minimum Requirement: A completed stocktake log comparing physical serial numbers to purchase orders.
3. Perform Automated Network Discovery
Control Requirement: Assets connected to the network must be identified.
Required Implementation Step: Run a network scan (using tools like Nmap, Lansweeper, or OpenVAS) to identify every IP address on your subnet. Identify ‘rogue’ devices that appear on the network but are not in your Master Asset Register. Investigate and document them immediately.
Minimum Requirement: A network scan report showing 100% correlation between active IP addresses and the Asset Register.
