ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets for SMEs

/ By
ISO 27001 Annex A 5.9 for Small Business

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 5.9 is the foundation of your entire security strategy. The principle is simple: “You cannot protect what you do not know you have.” In a small business, assets are often scattered across personal laptops, cloud services (SaaS), and USB drives. This control forces you to hunt down these “Shadow IT” assets and create a single, unified register. Without this, you are flying blind.

Core requirements for compliance include:

  • The “Discovery” Phase: You must actively hunt for assets. Send a survey to your Sales, Marketing, and Dev teams to find out what tools they are actually using (e.g., that random AI tool marketing signed up for).
  • Beyond Hardware: Do not just list laptops. The 2022 update explicitly prioritises Information (e.g., customer databases) and Services (e.g., AWS accounts, Slack workspaces) over just physical kit.
  • The Ownership Rule: Every single asset must have a named human “Owner”. This is not always IT. The Sales Director owns the CRM data; IT just maintains the server it sits on.
  • Lifecycle Management: An inventory is a living document. You must link it to your onboarding and offboarding processes. When a new hire starts, add their laptop. When they leave, check the list to ensure you get it back.
  • Avoid Over-Granularity: Be pragmatic. You do not need to log every mouse and HDMI cable. Only log items that would hurt the business if they were lost, stolen, or broken.

Audit Focus: Auditors will look for “The Reality Check”:

  1. Completeness: “I see you use Dropbox for file sharing, but it is not on your asset register. Why?”
  2. Ownership Clarity: “Who owns this ‘Financial Data’ asset? If I ask them, will they know they are responsible for its security?”
  3. Shadow IT: “How do you ensure new SaaS tools are added to this list when employees sign up for them?”

SME Asset Inventory Matrix (Audit Prep):

Asset CategoryDefinitionSME Examples
InformationData valuable to the business.Customer Lists, Code Repositories, HR Records.
PhysicalHardware you can touch.Laptops, Servers, Mobile Phones, Access Fobs.
SoftwareLicences and installed apps.Office 365, Adobe Creative Cloud, Antivirus.
Services (Cloud)SaaS subscriptions.AWS, Salesforce, Xero, Slack, Trello.

Table of contents

What is ISO 27001 Annex A 5.9 Actually for SMEs?

The standard requires you to develop and maintain an inventory of information and other associated assets, including their owners.

This sounds bureaucratic, but it is actually just good housekeeping. It asks you to answer three questions for every valuable thing you own:

  1. What is it? (The Asset)
  2. Where is it? (The Location)
  3. Who is responsible for it? (The Owner)

The “Small Business” Asset List

In a large enterprise, asset management is complex. In a small business, you need to be pragmatic. You don’t need to log every mouse, keyboard, and HDMI cable. You need to log the things that would hurt you if they were lost, stolen, or broken.

Your inventory should generally cover these four categories:

1. Information Assets

This is the big one. Databases, customer lists, HR records, financial spreadsheets, and intellectual property.
Example: “The EU Customer Database.”

2. Physical Assets

Laptops, servers, mobile phones, and physical access keys.
Example: “MacBook Pro – Serial #XYZ – Assigned to Dave.”

3. Software Assets

The licenses you pay for and the applications you use.
Example: “Adobe Creative Cloud License” or “Windows 11 Enterprise.”

4. Services (Cloud Assets)

This is huge for startups. Your SaaS subscriptions are assets.
Example: “AWS Production Account” or “Salesforce Instance.”

Step 1: Discovery (The Treasure Hunt)

You can’t build the list from your desk. You need to hunt.
Send a simple survey to your team leads (Sales, Dev, Ops) and ask: “What tools and data do you use every day to do your job?”

You will be surprised. You will find out that Marketing is using a random AI tool you’ve never heard of, or that Sales is keeping a backup of client data on a USB drive. Finding this “Shadow IT” is the most valuable part of the process.

Step 2: Build the Register

You do not need to buy expensive Asset Management software. For a business with fewer than 100 people, a spreadsheet is perfectly fine.

Create a spreadsheet with these columns:

  • Asset ID: (Give it a number, e.g., INFO-001)
  • Name: (What is it?)
  • Type: (Hardware/Software/Info)
  • Format/Location: (e.g., Cloud, Head Office, Filing Cabinet)
  • Owner: (The human responsible)
  • Classification: (Confidential/Internal/Public)

If you want to save time and ensure you have all the columns an auditor looks for, Hightable.io provides excellent ISO 27001 toolkits. Their Asset Inventory templates are pre-formatted to handle the “Associated Assets” requirements of the 2022 standard, helping you get organized in minutes.

Step 3: The “Ownership” Rule

Every asset needs an Owner. This is where small businesses often fail.

The Trap: Assigning everything to “IT.”
The Reality: IT looks after the server (the container), but the Sales Director owns the CRM Data (the information).

The Owner is the person who decides who gets access to the asset and how it should be protected. If the Sales Director leaves, you need to know who the new owner of that data is immediately.

Step 4: Maintenance (The Lifecycle)

An inventory is only useful if it is accurate. A list from 2019 is worse than no list at all because it gives you a false sense of security.

Link your inventory to your Onboarding and Offboarding processes.

  • New Hire? Update the inventory with the laptop they received.
  • Employee Left? Check the inventory to see what they need to return and what accounts need closing.

Top 3 ISO 27001 Annex A 5.9 Mistakes SMEs Make and How to Avoid Them

  1. Over-Granularity: Listing every stapler and monitor. Focus on assets that store or process data.
  2. Ignoring SaaS: Forgetting that your Trello board or Slack workspace is a critical information asset.
  3. Confusing “Custodian” with “Owner”: The IT guy is the custodian (he patches the server); the CFO is the Owner (she cares if the financial data is lost).

Fast Track ISO 27001 Annex A 5.9 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 5.9 (Inventory of information and other associated assets) addresses the fundamental security principle: you cannot protect what you do not know you have. This control requires you to map out your “digital kingdom” by identifying information, physical hardware, software, and cloud services, and crucially, assigning an owner to each.

While SaaS compliance platforms often try to sell you “automated asset discovery” or complex “inventory management modules”, they cannot actually find “Shadow IT” like a random AI tool used by Marketing or ensure your Sales Director accepts responsibility for CRM data. Those are human governance and discovery tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the asset framework you need without a recurring subscription fee.

1. Ownership: You Own Your Asset Register Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your assets and store your inventory inside their proprietary system, you are essentially renting your own organizational roadmap.

  • The Toolkit Advantage: You receive the Asset Inventory Template and Asset Management Policy in fully editable Word and Excel formats. These files are yours forever. You maintain permanent ownership of your records, such as your specific history of hardware assignments and cloud subscriptions, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Pragmatic Housekeeping

Annex A 5.9 is about good housekeeping. You do not need a complex new software interface to manage what a well-structured spreadsheet already does perfectly for a business with fewer than 100 people.

  • The Toolkit Advantage: SMEs need to be pragmatic and avoid “over-granularity” like listing every monitor. What they need is the governance layer to prove to an auditor that critical data has a human owner. The Toolkit provides pre-formatted templates that handle the “Associated Assets” requirements of the 2022 standard, without forcing your team to learn a new software platform just to log a new SaaS subscription.

3. Cost: A One-Off Fee vs. The “Asset Count” Tax

Many compliance SaaS platforms charge more based on the number of “tracked assets”, “endpoints”, or “user seats”. For an SME, these monthly costs can scale aggressively for very little added value.

  • The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you track 50 assets or 500, the cost of your Asset Documentation remains the same. You save your budget for actual security tools rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Security Foundation

SaaS tools often mandate specific ways to report on and monitor “asset lifecycles”. If their system does not match your unique business flow or specialized industry requirements, such as unique hardware serial tracking, the tool becomes a bottleneck to efficiency.

  • The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Inventory Procedures to match exactly how you operate, whether you use simple manual audits or advanced discovery scripts. You maintain total freedom to evolve your security foundation without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see a clear inventory that answers “What is it?”, “Where is it?”, and “Who owns it?”. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Conclusion

ISO 27001 Annex A 5.9 is the foundation of your security system. It forces you to map out your digital kingdom so you can build walls around the right things.

Start simple. Get the big items on a sheet, assign owners, and keep it alive. If you need a head start, check out the resources at Hightable.io to get your Asset Register audit-ready today.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top