In this ultimate how to audit guide to ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Asset Inventory Comprehensive Scope Verified
- 2. Asset Ownership Accountability Documented
- 3. Information Categorisation and Classification Attributes Present
- 4. Asset Physical and Logical Location Recorded
- 5. Asset Criticality and Business Value Assigned
- 6. Inventory Accuracy Review Records Identified
- 7. Asset Lifecycle Status Tracking Confirmed
- 8. Interdependency Mapping Documentation Present
- 9. Inventory Accessibility and Access Control Validated
- 10. Integration with Incident Management Evidence Confirmed
Auditing ISO 27001 Annex A 5.9 Inventory of Assets validates the integrity of an organization’s asset management framework. This process confirms the Primary Implementation Requirement of identifying, classifying, and assigning ownership to all information assets. The Business Benefit ensures accountability and enables effective risk management by maintaining a comprehensive view of the organisational attack surface.
1. Asset Inventory Comprehensive Scope Verified
Verification Criteria: The inventory encompasses all asset types including physical hardware, software, information/data, services, and intangible assets (e.g., intellectual property).
Required Evidence: A central Asset Register or Inventory Database showing distinct categorisation for diverse asset types.
Pass/Fail Test: If the inventory only lists hardware (laptops/servers) but omits critical data sets or cloud services, mark as Non-Compliant.
2. Asset Ownership Accountability Documented
Verification Criteria: Every entry in the asset inventory is assigned to a specific individual or role responsible for its protection throughout its lifecycle.
Required Evidence: “Owner” or “Custodian” column in the Asset Register with named personnel, linked to the current organisational chart.
Pass/Fail Test: If assets are assigned to generic departments (e.g., “The IT Team”) rather than a specific accountable role or individual, mark as Non-Compliant.
3. Information Categorisation and Classification Attributes Present
Verification Criteria: Assets are tagged with a classification level (e.g., Confidential, Restricted) that aligns with the organisation’s Information Classification Policy.
Required Evidence: Asset Register entries displaying classification labels for all information-bearing assets.
Pass/Fail Test: If information assets are listed without a corresponding security classification label, mark as Non-Compliant.
