How to Implement ISO 27001:2022 Annex A 5.9: Inventory of Information and Other Associated Assets

/ By
How to Implement ISO 27001 Annex A 5.9

If you have ever tried to clean a garage, you know the golden rule: you cannot organize what you do not know you have. The same logic applies to information security. You cannot secure your customer data, your intellectual property, or your financial records if you don’t actually know where they are.

This is the core premise of ISO 27001:2022 Annex A 5.9. Previously known simply as “Inventory of Assets” in the 2013 version, the 2022 update has been renamed to “Inventory of information and other associated assets.” It sounds like a mouthful, but the change is significant. It shifts the focus from just counting laptops to understanding the information those laptops hold.

Implementing this control is often the first real step in building an Information Security Management System (ISMS). Here is how to get it right without turning your life into a never-ending spreadsheet.

Table of contents

Understanding the Requirement: Information vs. Associated Assets

The standard requires you to identify, document, and maintain an inventory of information and other associated assets. But what does that distinction actually mean?

Think of it like a letter in an envelope.
The Information is the letter itself—the content, the data, the value.
The Associated Asset is the envelope, the mailbox, or the mail truck—the container that processes, stores, or transmits that information.

To implement Annex A 5.9 effectively, you need to track both. You need to know that you have a “Customer Database” (Information) and that it lives on “AWS Production Server 01” (Associated Asset).

Step 1: The Discovery Phase

You cannot build an inventory sitting at your desk. You have to go out and find the assets. In a modern business, assets are rarely just physical objects; they are digital, cloud-based, and ephemeral.

Start by interviewing your department heads. Ask the Marketing lead what tools they use. Ask the Developers where they store code. You are looking for:

  • Information: Databases, contracts, source code, research data, personnel files.
  • Hardware: Laptops, servers, mobile devices, removable media.
  • Software: Licenses, SaaS subscriptions (Salesforce, Slack, Microsoft 365).
  • Physical: Key cards, filing cabinets, secure rooms.

Step 2: Assigning Ownership

Every single item in your inventory needs an Owner. This is non-negotiable.

A common mistake is assigning everything to the IT Manager. This is wrong. The IT Manager might look after the server (Custodian), but the Sales Director owns the customer data on it (Owner). The Owner is the person who has the authority to make decisions about that asset—who gets access, how it is classified, and when it is deleted.

If an asset doesn’t have an owner, nobody is responsible for securing it. And if nobody is responsible, it isn’t secure.

Step 3: Building the Inventory (The Register)

Now you need to write it down. You don’t need expensive Asset Management software to be compliant; a well-structured spreadsheet works perfectly for most organizations. However, it must contain specific details to be useful.

Your inventory should include:

  • Asset Name: Unique identifier (e.g., “HR-LAPTOP-04”).
  • Type: (Hardware, Software, Information, Service).
  • Owner: (Job title or individual name).
  • Location: (e.g., London Office, Azure Cloud East-US).
  • Classification: (Confidential, Internal, Public).

If you are starting from scratch, creating this structure can be tedious. Using pre-built templates can save hours of formatting and ensure you don’t miss critical columns. Hightable.io offers specialized ISO 27001 toolkits with Asset Inventory templates that are pre-configured to handle the “Associated Assets” nuance of the 2022 standard, making this step significantly faster.

Step 4: Managing the Lifecycle

An inventory is a living document. A static list created in January and ignored until December is a non-conformity waiting to happen.

You need to link your inventory to your business processes:

  • Onboarding: When a new employee starts, log their laptop and accounts immediately.
  • Offboarding: When they leave, check the inventory to ensure those assets are returned and accounts disabled.
  • Procurement: When you buy new software, add it to the list.

Common Implementation Pitfalls

Granularity Paralysis: Do not list every mouse, keyboard, and HDMI cable. Focus on assets that have value or pose a risk. If losing it wouldn’t hurt the business, it probably doesn’t need to be in the ISO 27001 inventory.

Shadow IT: This is the biggest challenge. Your inventory says you use Teams, but half the company is on WhatsApp. Conducting regular audits or “asset walks” is essential to finding these hidden assets.

Conclusion

Implementing ISO 27001 Annex A 5.9 is about visibility. It forces you to map the territory you are trying to defend. By distinguishing between information and the assets that hold it, and by assigning clear ownership, you turn a chaotic pile of tech into a managed, secure ecosystem.

Start with the big rocks, your critical data and major hardware and refine over time. And if you need a head start, the templates at Hightable.io can provide the structure you need to get audit-ready without reinventing the wheel.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top