ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets for Tech Startups

/ By
ISO 27001 Annex A 5.9 for Tech Startups

ISO 27001 Annex A 5.9 is a security control that mandates the creation and maintenance of an inventory of information and other associated assets. It requires organizations to identify all assets that process or store data, assign ownership, and classify them. This provides the Business Benefit of comprehensive visibility, enabling effective risk management and preventing data loss through “Shadow IT.”

If you walk into a tech startup today, you won’t see rows of filing cabinets or server racks. You will see people on laptops, wearing noise-canceling headphones, pushing code to the cloud. In this environment, the traditional idea of an “Asset Inventory” feels outdated. You don’t have many physical things to count.

However, your assets are there, they are just invisible. They are S3 buckets full of customer logs, repositories of proprietary algorithms on GitHub, and API keys connecting your Stripe account to your backend.

ISO 27001 Annex A 5.9 is the control that forces you to visualise this invisible infrastructure. For a tech startup, this isn’t about counting monitors; it is about mapping your survival.

The Business Case: Why This Actually Matters

You cannot secure what you don’t know you have. Annex A 5.9 is the foundation of your entire security strategy. Without it, you are guessing.

  • Sales Angle: Enterprise clients will ask: “Do you maintain a current inventory of all assets processing our data?” If you say “No,” they assume you have lost their data. Annex A 5.9 allows you to say “Yes, and here is exactly where your data lives (e.g., AWS eu-west-2).”
  • Risk Angle: The “Zombie Server” Risk. A developer spins up a test server for a demo, opens port 22, and forgets about it. Six months later, it’s unpatched and hacked. An asset inventory process catches this server during the quarterly review, preventing a breach.

The “No-BS” Translation: Decoding the Requirement

The Auditor’s View: “Information and other associated assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”

The Startup’s View: Create a list of everything that would hurt if it got stolen or deleted. This includes Laptops, Cloud Accounts, SaaS Tools, and Intellectual Property.

For a Founder, this translates to:

  • Hardware: MacBooks, YubiKeys.
  • Software: The Codebase, The Prod Database.
  • SaaS: Slack, Jira, HubSpot (Where the data actually lives).
  • People: Key personnel are often considered assets in risk assessments.
ISO 27001 Toolkit

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

DORA, NIS2, and AI Laws

Asset management is the first step in regulatory compliance.

  • DORA (Fintech): Requires a complete inventory of “ICT Assets” to map dependencies. If you don’t know which server runs your payments API, you cannot comply with DORA’s resilience testing requirements.
  • NIS2: Mandates that essential entities know their own network. You must identify all assets to apply the correct “Cyber Hygiene” practices (patching/MFA).
  • AI Act: Training Data Sets and Model Weights are now regulated assets. You must inventory them to prove you are managing their quality, bias, and security throughout the lifecycle.

Why the ISO 27001 Toolkit Trumps SaaS Platforms

SaaS platforms promise “Automated Discovery,” but they only discover what they can see via API. They miss the human element.

Feature ISO 27001 Toolkit (High Table) Online SaaS GRC Platform
Flexibility Customisable columns for any asset type (e.g., AI Models). Rigid fields that force you to treat a SaaS tool like a Server.
Cost One-off fee. Unlimited assets. Often charges per asset or per “integration,” punishing growth.
Shadow IT Encourages human discovery (interviews). Misses anything not connected to the API (e.g., that random Trello board).
Ownership You keep the Excel/Sheet forever. If you stop paying, your inventory disappears.

Top 3 Non-Conformities When Using SaaS Platforms

  1. The “API Blindspot” Error: The SaaS tool scans AWS and Google Workspace. It misses the Marketing team’s Dropbox account because no API was connected. The auditor finds sensitive data in Dropbox. Fail.
  2. The “Classification Mismatch” Trap: The SaaS tool auto-classifies everything as “Confidential.” You treat your public website code as “Confidential” in the tool but “Public” in reality. The discrepancy is a non-conformity.
  3. The “Cost Barrier” Fail: The SaaS tool charges extra for “Asset Discovery” modules. The startup disables it to save money and maintains a manual list that falls out of sync with the tool. Inconsistent records.

The “Startup” Asset List: What Actually Counts?

Don’t waste time inventorying the office coffee machine or mouse pads. Focus on the assets that, if lost or compromised, would kill your company.

  • Code & IP: “Monolith Repository (GitHub)” – Owner: CTO.
  • Cloud Infra: “AWS Production Environment” – Owner: DevOps Lead.
  • SaaS Sprawl: “Slack Workspace” (Internal Comms), “HubSpot” (Customer Data).
  • Secrets: “Master Encryption Keys” or “Stripe Production API Keys.”

Step 1: The Great “Shadow IT” Hunt

Start with a discovery phase. Don’t just ask IT. Ask the team leads:

  • Marketing: “Where is the email list?” (Mailchimp? Notion?)
  • Engineering: “Do we have any test databases running on personal accounts?”
  • HR: “Where are the employee contracts?” (Google Drive? DocuSign?)

Step 2: Assigning Ownership (The “Bus Factor”)

Every asset needs an owner. The owner is the person who has the authority to delete it or grant access to it. Do not assign everything to the CEO.

  • Production DB: VP of Engineering.
  • Sales CRM: Head of Sales.
  • Laptop: The Employee using it.

Step 3: Handling “Ephemeral” Assets

A common question: “We spin up dynamic EC2 instances that live for 4 hours. Do I need to log every single one?”

The Answer: No. You inventory the Service or the Group. List “Auto-Scaling Group: Web Servers” as the asset. The individual instances are just temporary manifestations of that asset.

The Evidence Locker: What the Auditor Needs to See

To pass the audit, have these artifacts ready:

  • The Asset Inventory: A master spreadsheet or Notion database listing Asset, Owner, Location, and Classification.
  • Acceptable Use Policy: Signed by staff, proving they know how to handle assets.
  • Return of Assets Log: Evidence that you collected the laptop from the last person who quit.
  • Review Evidence: A calendar invite or meeting minute showing you reviewed the inventory quarterly.

Common Pitfalls and Auditor Traps

  • Inventorying “The Internet”: Listing “GitHub” as the asset. You don’t own GitHub. List “Our Repositories hosted on GitHub.”
  • Ignoring BYOD: If developers use personal Macs for work, those Macs are now “Associated Assets” and must be tracked and secured (e.g., via Intune/Jamf).
  • The “One-Time” List: Creating the list for the audit and never updating it. The auditor will ask: “You hired 5 people last month, where are their laptops on this list?”

Handling Exceptions: The Break Glass Protocol

What if you need to use an unapproved asset quickly? (e.g., WeTransfer for a massive file).

  • The Trigger: Need to send 50GB data to a client, email is too small.
  • The Action: CTO approves use of temporary file transfer tool.
  • The Paper Trail: Log it in the “Temporary Asset Register” or Risk Register.
  • Cleanup: Verify deletion of the file/account after transfer.

The Process Layer: Standard Operating Procedure (SOP)

Tools: Excel/Notion (Inventory), MDM (Automatic tracking).

  1. Onboarding: IT provisions laptop -> Adds to MDM -> Adds to Asset Inventory.
  2. Procurement: New SaaS tool bought -> Finance alerts IT -> Added to Inventory.
  3. Review: Quarterly, Asset Owners receive a Slack message: “Do we still use Tool X? Is the user list correct?”
  4. Offboarding: HR triggers exit -> IT wipes laptop -> Updates Inventory to “In Stock.”

Frequently Asked Questions (FAQ)

What is ISO 27001 Annex A 5.9 for tech startups?

ISO 27001 Annex A 5.9 requires tech startups to identify, document, and maintain an accurate inventory of information and other associated assets. To achieve 100% compliance, you must ensure all assets—from source code to SaaS subscriptions—have assigned owners and are categorised to protect the organisation’s most critical data assets during rapid scaling.

Which assets must be included in the Annex A 5.9 inventory?

The inventory must include all assets that handle information throughout its lifecycle, encompassing both physical and digital entities. For high-growth tech firms, this typically results in a 100% comprehensive register covering:

  • Information Assets: Databases, source code repos, intellectual property, and customer PII.
  • Software Assets: SaaS platforms, cloud service instances (AWS/Azure), and development tools.
  • Physical Assets: Laptops, servers, and removable media used by distributed teams.
  • Services: Outsourced processing services and utilities essential for system uptime.

How does an asset inventory reduce security risks in a startup?

An asset inventory provides 100% visibility of the attack surface, reducing the risk of “Shadow IT” which accounts for approximately 35% of security breaches in unregulated tech environments. By defining asset ownership and classification, startups can ensure that 100% of high-risk assets receive appropriate security controls, preventing costly data leakages and unauthorised access.

What is the best way to maintain an Annex A 5.9 asset register?

The best way to maintain the register is through automated discovery tools integrated into your CI/CD pipeline and MDM software. Manual spreadsheets often have a 40% error rate in fast-moving startups. Using automated tools ensures that 100% of new cloud instances or hardware are logged instantly, reducing manual administrative overhead by roughly 75% per year.

How often should a startup review its asset inventory?

Startups should review their asset inventory at least annually or whenever a significant organisational change occurs, such as a funding round or major product pivot. In high-velocity environments, quarterly reviews are 100% recommended to capture the high churn rate of SaaS tools and hardware, ensuring the Information Security Management System (ISMS) remains accurate for audit purposes.

Conclusion

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

ISO 27001 Annex A 5.9 isn’t meant to slow you down. It is meant to give you visibility. You can’t secure your startup if you don’t know where your data is. By mapping your SaaS tools, cloud infrastructure, and code repositories using the ISO 27001 Toolkit, you build a map of your digital territory.

Shopping Basket
Scroll to Top