Auditing ISO 27001 Annex A 5.9 Inventory of Assets validates the integrity of an organization’s asset management framework. This process confirms the Primary Implementation Requirement of identifying, classifying, and assigning ownership to all information assets. The Business Benefit ensures accountability and enables effective risk management by maintaining a comprehensive view of the organizational attack surface.
This technical verification tool is designed for lead auditors to confirm the integrity and completeness of the organisation’s asset management framework. Use this checklist to validate compliance with ISO 27001 Annex A 5.9 (Inventory of information and other associated assets) by ensuring all information assets are identified, categorised, and assigned to accountable owners.
1. Asset Inventory Comprehensive Scope Verified
Verification Criteria: The inventory encompasses all asset types including physical hardware, software, information/data, services, and intangible assets (e.g., intellectual property).
Required Evidence: A central Asset Register or Inventory Database showing distinct categorisation for diverse asset types.
Pass/Fail Test: If the inventory only lists hardware (laptops/servers) but omits critical data sets or cloud services, mark as Non-Compliant.
2. Asset Ownership Accountability Documented
Verification Criteria: Every entry in the asset inventory is assigned to a specific individual or role responsible for its protection throughout its lifecycle.
Required Evidence: “Owner” or “Custodian” column in the Asset Register with named personnel, linked to the current organisational chart.
Pass/Fail Test: If assets are assigned to generic departments (e.g., “The IT Team”) rather than a specific accountable role or individual, mark as Non-Compliant.
3. Information Categorisation and Classification Attributes Present
Verification Criteria: Assets are tagged with a classification level (e.g., Confidential, Restricted) that aligns with the organisation’s Information Classification Policy.
Required Evidence: Asset Register entries displaying classification labels for all information-bearing assets.
Pass/Fail Test: If information assets are listed without a corresponding security classification label, mark as Non-Compliant.
4. Asset Physical and Logical Location Recorded
Verification Criteria: The inventory specifies the physical location (for hardware) or the logical hosting environment/region (for cloud services/data).
Required Evidence: Location fields in the inventory (e.g., “London Data Centre”, “AWS Ireland Region”, “Office Cabinet A”).
Pass/Fail Test: If the location for cloud-hosted data is listed generically as “The Internet” or is entirely missing, mark as Non-Compliant.
5. Asset Criticality and Business Value Assigned
Verification Criteria: Each asset has a defined business value or criticality rating based on the impact of loss of confidentiality, integrity, or availability.
Required Evidence: A “Criticality Score” or “Business Impact” rating within the asset management system.
Pass/Fail Test: If the auditor cannot identify which assets are “Mission Critical” via the inventory filter, mark as Non-Compliant.
6. Inventory Accuracy Review Records Identified
Verification Criteria: Evidence exists of periodic reconciliations or audits of the inventory to ensure it reflects the actual environment.
Required Evidence: Records of the most recent asset audit, “Last Verified” timestamps on individual entries, or Management Review minutes discussing inventory accuracy.
Pass/Fail Test: If the inventory contains assets that were retired over 6 months ago or lacks entries for recently acquired assets, mark as Non-Compliant.
7. Asset Lifecycle Status Tracking Confirmed
Verification Criteria: The inventory tracks the current state of assets (e.g., Active, In Maintenance, In Storage, Decommissioned).
Required Evidence: A “Status” field for each asset with an audit trail of status changes.
Pass/Fail Test: If assets marked as “Disposed” lack a corresponding disposal record or destruction certificate linked to the inventory ID, mark as Non-Compliant.
8. Interdependency Mapping Documentation Present
Verification Criteria: Critical assets are mapped to the business processes or services they support, enabling impact analysis during incidents.
Required Evidence: A Service Mapping diagram or a “Dependency” field in the Asset Register linking assets to specific business functions.
Pass/Fail Test: If a server is listed but no one in the organisation can identify which business service or data set resides on it, mark as Non-Compliant.
9. Inventory Accessibility and Access Control Validated
Verification Criteria: Access to modify the Asset Register is restricted to authorised personnel, while read access is provided to those requiring it for ISMS duties.
Required Evidence: Access Control List (ACL) or permission report for the asset management tool/spreadsheet.
Pass/Fail Test: If the Asset Register is stored on a shared drive with “Full Control” permissions for all staff, mark as Non-Compliant.
10. Integration with Incident Management Evidence Confirmed
Verification Criteria: The asset inventory is used as a reference point during security incidents to identify the impact and relevant owners.
Required Evidence: Incident reports from the last 12 months that explicitly reference Asset IDs or classification levels from the inventory.
Pass/Fail Test: If incident response records show that the security team struggled to identify the owner of an affected asset, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Asset Identification | GRC tool automatically imports a list of users and laptops from MDM/LDAP and marks the step “Complete”. | Auditor must verify “Information Assets” (e.g. intellectual property, paper records) that cannot be auto-detected by an API. |
| Ownership | SaaS tool defaults the person who set up the integration as the “Owner” of all assets. | Verify that the assigned owner is the *Business Owner* who understands the data’s value, not a junior IT administrator. |
| Classification | The platform bulk-tags all imported assets as “Confidential” by default. | Sample 5 assets; verify if the classification level on the screen matches the actual sensitivity of the data they contain. |
| Location Accuracy | Tool lists “Cloud” as the location for all virtual machines. | Verify that the specific geographic region (e.g. UK South) is recorded to ensure compliance with data residency laws. |
| Asset Disposal | Deleting a row in the SaaS tool is treated as “Secure Disposal”. | Demand a physical Destruction Certificate or Media Sanitisation Log for any hardware removed from the digital inventory. |
| Accuracy Review | The “Last Synced” date of the API is used as evidence of an asset review. | Verify minutes from a physical or logical reconciliation meeting where owners confirmed they still have the assets. |
| Intangible Assets | GRC tool ignores anything without a MAC address or Serial Number. | Identify where the organisation records “Knowledge Assets” or “Trade Secrets” vital to their ISMS scope. |
About the author
