Inventory of Information and Other Associated Assets is a security control that requires organizations to identify and maintain a comprehensive register of all assets. The primary implementation requirement is assigning owners to ensure accountability, resulting in the business benefit of enhanced risk management and pass-ready audits.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.9 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets
ISO 27001 Annex A 5.9 requires organizations to develop and maintain an inventory of all information and other associated assets, including the assignment of owners. This control is based on a simple but critical security principle: “You cannot protect what you do not know.” By identifying every physical device, software application, and data set within your scope, you create the foundation for risk management, incident response, and lifecycle management.
Core requirements for compliance include:
- Identification of 3 Asset Types: You must inventory three specific categories:
- Physical Assets: Laptops, servers, networking hardware, and removable media.
- Information/Data Assets: Customer databases, intellectual property, financial records, and source code.
- Virtual Assets: Cloud instances, virtual machines (VMs), and software-as-a-service (SaaS) subscriptions.
- Assignment of Ownership: Every asset must have an assigned “Owner.” The owner is responsible for ensuring the asset is correctly classified, reviewed periodically, and securely disposed of at the end of its life.
- Accuracy and Consistency: The inventory must be a “living document.” It must be updated whenever new assets are created, transferred, or decommissioned.
- Location Tracking: You must record where assets are located, whether in a physical office, a specific data center, or a cloud region.
- Asset Classification: Each asset in the inventory should be linked to your Information Classification scheme (e.g., Public, Internal, Confidential).
Audit Focus: Auditors will look for “The Ghost Asset”:
- Sample Verification: An auditor will pick a random laptop in the office and ask: “Show me this device in your Physical Asset Register. Who is the owner?”
- SaaS/Cloud Shadow IT: “How do you ensure that a new SaaS tool purchased by the Marketing department is added to your Information Asset Register?”
- Termination Check: “When an employee leaves, how do you use the asset inventory to ensure 100% of their physical and virtual assets are returned or revoked?”
Asset Register Components (Audit Prep):
| Asset Category | Example Items | Required Evidence | ISO 27001 Action | ISO 27001:2022 Control |
|---|---|---|---|---|
| Physical | Laptops, Servers, USBs. | Serial Number, Location. | Physical Security (A.7). | Annex A 7.1, 7.10 |
| Information | Customer DB, Source Code. | Data Classification level. | Access Control (A.5.15). | Annex A 5.12, 5.15 |
| Virtual | AWS Instances, SaaS Tools. | Instance ID, Admin Owner. | Cloud Security (A.5.23). | Annex A 5.23, 8.15 |
| Software | OS, Licensed Apps. | Version, License Expiry. | Configuration (A.8.9). | Annex A 8.9, 8.19 |
Table of contents
- What is ISO 27001 Annex A 5.9?
- Watch the ISO 27001 Annex A 5.9 Tutorial
- ISO 27001 Annex A 5.9 Podcast
- ISO 27001 Annex A 5.9 Implementation Guidance
- How to implement ISO 27001 Annex A 5.9
- ISO 27001 Annex A 5.9 Implementation Checklist
- How to audit ISO 27001 Annex A 5.9
- ISO 27001 Annex A 5.9 Audit Checklist
- ISO 27001 Templates
- How to comply
- How to pass the ISO 27001 Annex A 5.9 audit
- What will an audit check?
- Top 3 ISO 27001 Annex A 5.9 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.9 across different business models.
- Fast Track ISO 27001 Annex A 5.9 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.9 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.9 FAQ
- ISO 27001 Relate Controls and Further Reading
- ISO 27001 Controls and Attribute Values
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
What is ISO 27001 Annex A 5.9?
ISO 27001 Annex A 5.9 is about inventory of assets which means you need to have a list of the physical and information assets that you have so you know what needs to be protected.
ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets is an ISO 27001 control that requires an organisation to develop and maintain an inventory of information and other associated assets.
We cannot control what we do not know so this clause is about understanding our data and the assets that process, store or transmit it.
ISO 27001 Annex A 5.9 Purpose
The purpose of ISO 27001 Annex A 5.9 is to ensure you identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.
ISO 27001 Annex A 5.9 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.9 as:
An inventory of information and other associated assets, including owners, should be developed and maintained.
ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets
Watch the ISO 27001 Annex A 5.9 Tutorial
In the video ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Explained show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.9 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.9 Implementation Guidance
You are going to have to ensure that
- information and assets are identified
- the importance of information and assets is determined
- information and assets are documented
- documentation is accurate, up to date and consistent
- the location of assets is recorded
- assets are classified
- ownership of assets is allocated when created or transferred to the organisation and reassigned when current owners leave or change role
Topic specific policy on asset management
You are going to implement a topic specific policy on asset management. You can learn more in our Beginner’s Guide to the Asset Management Policy.
Data Asset Register
You will implement a Data Asset Register.
Physical Asset Register
You will implement a Physical Asset Register that will include virtual machines. You can learn more in our Beginner’s Guide to the Physical Asset Register.
Return of assets
You will implement a process for the return of assets in line with the guidance in ISO 27001 Annex A 5.11 Return of Assets
Acceptable use of assets
You will implement a process for the acceptable use of assets in line with the guidance in ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets.
What about virtual machines?
The standard has been updated to account for virtual machines. It sets out that the level of detail required should be appropriate of the needs of the organisation.
Sometimes it just isn’t feasible to document instances of virtual machines especially if they are short lived as is the case with some virtual machines that can be short lived and have a short duration. That is ok.
Asset Ownership
Assets need to be assigned an owner. The standard allows for ownership to be individuals or groups. Where possible you should try to identify individuals. This can be either named individuals or the job title of the role. By allocating to an individual it will drive more accountability than assigning to a group of people.
What are asset owners duties?
The asset owner is going to be responsible for the management and protection of the asset over its entire lifecycle. They are going to
- Make sure assets are document and in asset registers
- Ensure assets have the correct classification and protection
- Review assets and set intervals which will include access to the asset and the controls protecting the asset
- Put in place the acceptable use requirements for the asset
- Be responsible for the correct deletion / disposal of the asset and the documentation recording it including removing from asset registers.
- Be part of the risk identification and risk management of the assets
How to implement ISO 27001 Annex A 5.9
Implementing Annex A 5.9 requires a systematic approach to identifying and documenting every asset that supports your Information Security Management System (ISMS). Following these steps ensures that protection levels remain proportionate to the value and risk of each specific asset, satisfying the core requirements of ISO 27001.
1. Define the Asset Taxonomy and Scope
- Identify all categories of assets including hardware, software, information, and outsourced services.
- Establish clear boundaries for what constitutes an asset within the ISMS scope.
- Result: A comprehensive classification framework that ensures no critical data or hardware is overlooked during the inventory process.
2. Assign Formal Asset Ownership
- Designate an individual owner for every identified asset or asset group.
- Define the owner’s responsibilities for classification, access authorisation, and periodic reviews.
- Result: Clear accountability for the protection and maintenance of assets throughout their operational life.
3. Build a Centralised Asset Register
- Create a single source of truth, such as a database or spreadsheet, to host all asset records.
- Ensure the register is accessible to relevant security personnel but protected against unauthorised modification.
- Result: A searchable, managed repository that facilitates rapid incident response and risk assessment.
4. Classify Information and Associated Assets
- Apply classification labels based on the sensitivity and value of the information stored on or processed by the asset.
- Align these labels with your organisational Information Classification Policy.
- Result: The application of security controls that are commensurate with the asset’s importance to the business.
5. Document Technical Metadata and Physical Location
- Record specific technical details including serial numbers, software versions, and physical or logical locations.
- Include cloud service regions for virtual assets to satisfy data residency requirements.
- Result: Granular visibility into the technical environment, enabling better patch management and physical security.
6. Link Assets to IAM Roles and Access Governance
- Map each asset to specific Identity and Access Management (IAM) roles and groups.
- Enforce Multi-Factor Authentication (MFA) for assets containing highly sensitive or “Confidential” information.
- Result: A hardened security posture where access is restricted based on the principle of least privilege.
7. Manage Mobile and Removable Media Assets
- Include laptops, mobile phones, and encrypted USB drives in the inventory.
- Track the issuance of these devices to specific employees or contractors.
- Result: Reduced risk of data loss from portable devices and improved tracking of hardware outside the office.
8. Formalise the Asset Lifecycle and ROE
- Develop a Record of Equipment (ROE) to track assets from procurement to decommissioning.
- Implement secure disposal procedures to ensure all data is wiped before hardware leaves the organisation.
- Result: An auditable trail of asset movement that prevents “ghost” assets from remaining in the register.
9. Map Asset Dependencies to Business Processes
- Identify which business processes rely on specific assets to function.
- Document dependencies between hardware, software, and the data they process.
- Result: Enhanced Business Continuity Planning (BCP) and more accurate Business Impact Analysis (BIA).
10. Schedule Periodic Reconciliations and Audits
- Conduct quarterly or annual physical and logical audits to verify the accuracy of the register.
- Update the inventory immediately following significant changes or infrastructure migrations.
- Result: Continuous compliance with Annex A 5.9 and a reliable foundation for the internal audit process.
ISO 27001 Annex A 5.9 Implementation Checklist
This implementation checklist for ISO 27001 Annex A 5.9 provides a structured approach to identifying, documenting, and managing information assets. By following these 10 steps, organisations can ensure full visibility of their technical estate and maintain a robust Asset Register as required for formal certification.
| Step | Requirement | Implementation Example |
|---|---|---|
| 1 | Define Asset Scope | Documenting all physical hardware, licensed software, and proprietary data within the ISMS boundaries. |
| 2 | Establish Taxonomy | Creating categories for assets such as “Cloud Services”, “On-premise Servers”, and “Mobile Devices”. |
| 3 | Assign Ownership | Formalising the Head of IT as the owner of core infrastructure and Department Heads as data owners. |
| 4 | Build Asset Register | Developing a centralised database or secure spreadsheet containing unique IDs for every information asset. |
| 5 | Identify Metadata | Recording serial numbers, software versions, physical locations, and data residency regions. |
| 6 | Classify Assets | Labelling assets as ‘Confidential’ or ‘Public’ based on the sensitivity of the information they process. |
| 7 | Track Lifecycles | Using a Record of Equipment (ROE) to log assets from initial procurement to secure decommissioning. |
| 8 | Map Dependencies | Visualising which business processes rely on specific databases or third-party SaaS applications. |
| 9 | Enforce Access | Linking assets to IAM roles and ensuring Multi-Factor Authentication (MFA) is active for sensitive assets. |
| 10 | Audit & Reconcile | Conducting quarterly spot checks to verify that the physical inventory matches the digital Asset Register. |
How to audit ISO 27001 Annex A 5.9
Auditing Annex A 5.9 requires a rigorous examination of how an organisation identifies, tracks, and manages its information assets. As a Lead Auditor, I look for evidence that the inventory is not merely a static document but a living record that accurately reflects the technical and operational landscape of the business. Use the following steps to verify compliance and ensure asset accountability.
1. Review the Asset Management Policy and Governance
- Examine the formal policy to ensure it defines the scope of assets, including hardware, software, information, and cloud services.
- Verify that the policy has been approved by management and communicated to all relevant stakeholders.
- Result: Confirmation that a structured framework exists to govern the identification and protection of assets.
2. Inspect the Master Asset Register for Completeness
- Evaluate the central Asset Register to ensure it captures mandatory fields such as asset name, description, and location.
- Check that the inventory includes intangible assets, such as intellectual property and proprietary data, alongside physical hardware.
- Result: Assurance that the organisation has a single source of truth for its information security environment.
3. Validate Individual Asset Ownership and Accountability
- Sample items from the register to verify that a specific individual or role is assigned as the formal asset owner.
- Confirm that owners understand their responsibilities for classification and periodic access reviews.
- Result: Evidence of clear accountability for the lifecycle and security of each documented asset.
4. Audit the Record of Equipment (ROE) and Procurement Links
- Cross-reference the Asset Register with procurement records and Record of Equipment (ROE) logs to identify “ghost” assets.
- Verify that new purchases are automatically triggered for inclusion in the inventory during the provisioning phase.
- Result: Proof that the inventory process is integrated into the wider organisational procurement lifecycle.
5. Examine Identification and Unique Labelling Protocols
- Assess the methods used to uniquely identify assets, such as serial numbers, asset tags, or digital identifiers.
- Verify that logical assets, like databases or virtual machines, are uniquely identified within system management tools.
- Result: Assurance that assets can be specifically identified during incident response or maintenance activities.
6. Verify Mobile Device and Removable Media Tracking
- Review the specific controls for tracking high-risk portable assets like laptops, mobile phones, and encrypted USB drives.
- Check the issuance logs to ensure these assets are mapped to specific employees or contractors.
- Result: Mitigation of data loss risks through strict oversight of portable and removable equipment.
7. Analyse Virtual and Cloud-Based Asset Listings
- Inspect the inventory of cloud-based assets, including SaaS subscriptions, IaaS instances, and PaaS environments.
- Verify that cloud assets are reviewed with the same level of scrutiny as physical, on-site hardware.
- Result: Comprehensive visibility into the modern, distributed technical stack and associated security risks.
8. Assess Asset Classification and IAM Alignment
- Verify that each asset in the inventory is assigned a classification level in accordance with the Information Classification Policy.
- Check that access to high-value assets is governed by Identity and Access Management (IAM) roles and enforced via MFA.
- Result: Confirmation that security controls are proportionate to the sensitivity and value of the information.
9. Perform Physical and Logical Spot Checks
- Conduct “floor-to-list” and “list-to-floor” audits by physically verifying hardware or logically checking software versions.
- Note any discrepancies between the observed state and the data recorded in the Asset Register.
- Result: Real-world validation of the accuracy and integrity of the asset management system.
10. Review Reconciliation and Maintenance Records
- Examine evidence of periodic inventory reconciliations to ensure the register is updated following disposals or migrations.
- Check for exception reports that identify missing or unauthorised assets within the network.
- Result: Demonstration of a mature, continuously monitored process that maintains compliance with ISO 27001 requirements.
ISO 27001 Annex A 5.9 Audit Checklist
This ISO 27001 Annex A 5.9 audit checklist provides a professional framework for Lead Auditors to verify the identification, ownership, and lifecycle management of information assets. By executing these checks, organisations can demonstrate that their asset inventory is accurate, comprehensive, and fully integrated into their wider Information Security Management System (ISMS).
| Item | What to Check | Audit Evidence Example | GRC Platform Check |
|---|---|---|---|
| 1 | Asset Management Policy | Review the formal policy for asset identification and classification rules. | Policy module status: Published and Approved. |
| 2 | Inventory Completeness | Verify that hardware, software, information, and cloud services are listed. | Asset Register module export or dashboard view. |
| 3 | Ownership Accountability | Sample assets to ensure a named individual is assigned as the formal owner. | Owner field populated for 100% of ‘Critical’ assets. |
| 4 | Asset Classification | Confirm that assets are labelled according to the Information Classification Policy. | Classification attribute linked to asset ID. |
| 5 | Location Accuracy | Verify the physical or logical location of sampled infrastructure or data stores. | Location or Cloud Provider field verified in GRC. |
| 6 | Mobile Device Tracking | Audit the list of issued laptops and mobile devices against HR records. | Employee equipment mapping report. |
| 7 | Cloud & SaaS Inventory | Ensure third-party services and virtual instances are captured in the inventory. | SaaS vendor list reconciled with the Asset Register. |
| 8 | Maintenance & Review | Look for evidence of periodic (e.g. annual) inventory reconciliation audits. | Audit log or task completion record for ‘Asset Review’. |
| 9 | Disposal Logs | Review certificates of destruction for decommissioned hardware or media. | Evidence uploaded to the ‘Disposal’ or ‘Task’ module. |
| 10 | IAM Integration | Verify that asset access is linked to Identity and Access Management roles. | Role-based access control (RBAC) mapping linked to assets. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Templates
You can save months of effort and do it yourself with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
If you would rather have individual topic specific templates then consider
How to comply
To comply with ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Establish and document asset inventories
- Identify, list and document the assets
- Assign owners to assets
- Protect and ensure adequate controls for assets based on risk and classification
- Review asset inventories and access to assets
How to pass the ISO 27001 Annex A 5.9 audit
To pass an audit of ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have an inventory of assets
What this means is that you need to show that you have asset inventories in place. It does not need to be one inventory but every asset must be in an inventory.
2. That you have taken action as a result of asset inventories
Your asset registers and asset inventories are going to be living documents with asset owners documented and assigned and the key controls and required components of the registers recorded. The audit will check that reviews are performed and that access to assets has been performed. It will check the implemented and documented controls that protect those assets.
3. That asset inventory forms part of risk management and operations
Your asset register will factor in and evidence risk management. This could be management of the risks associated with assets or the risks that the assets themselves pose.
Top 3 ISO 27001 Annex A 5.9 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.9 are
1. Your asset register and asset inventory does not include all assets
Remembering the scope is the scope statement and your ISO 27001 scope it is easy to focus on data assets that relate to data protection and miss the wider data assets. Code repositories are a good example. Focusing on productions assets and not considering development and test. Stating that VMS are not assets or are too hard to manage and document.
2. You do not evidence ownership or actions
Be sure owners are assigned and that actions such as access reviews and asset reviews can be evidenced. Do not overlook end of life processes, destruction of assets or when asset owners leave or change role.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.9 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Physical & Data Lists. You likely don’t need automated discovery tools. Compliance is achieved by maintaining a simple Excel “Asset Register” listing laptops and key folders (e.g., “HR Sharepoint”). |
• The Laptop List: A spreadsheet tracking Serial Numbers, assigned Owners, and Return Dates for all physical hardware. • Information Assets: Listing major data repositories (e.g., “Xero – Financial Data”, “OneDrive – Client Contracts”) and assigning a specific owner to each. |
| Tech Startups |
Virtual & SaaS Inventory. Your assets are mostly in the cloud. Auditors expect an inventory of “Virtual Assets” (AWS Instances, S3 Buckets) and “SaaS Subscriptions” to prevent Shadow IT. |
• Cloud Tagging: Using AWS/Azure Resource Tags (e.g., |
| AI Companies |
Model & Dataset Provenance. Assets include intangible IP. You must inventory not just code, but specific “Model Checkpoints,” “Training Datasets,” and “API Keys” as distinct assets. |
• Model Registry: A catalog listing every deployed model version (e.g., v1.2), its training data source, and the responsible Data Scientist. • Dataset Tracking: treating large training sets as individual assets with defined retention periods and ownership (e.g., “Common Crawl 2023 – Owned by Research Team”). |
Fast Track ISO 27001 Annex A 5.9 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.9 (Inventory of information and other associated assets), the requirement is to develop and maintain an inventory of all physical and information assets, including their owners. This is the foundation of your entire security system, you cannot protect what you do not know you have.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Inventory Ownership | Rents access to your asset records; if you cancel the subscription, your documented asset history and ownership logs vanish. | Permanent Assets: Fully editable Word/Excel Data and Physical Asset Registers that you own and host forever. | A localized “Physical Asset Register” containing serial numbers, purchase dates, and assigned hardware owners. |
| Governance Utility | Attempts to “automation” discovery via APIs that cannot assign accountability or ensure virtual machines are correctly classified. | Governance-First: Provides the framework to formalize existing technical lists (AWS, Azure) into an auditor-ready format. | A “Data Asset Register” proving that critical datasets (e.g., Customer DB) have been identified and assigned to a C-level owner. |
| Cost Efficiency | Charges an “Asset Count Tax” or “Node Fee” that scales costs aggressively as your infrastructure and data sets expand. | One-Off Fee: A single payment covers your inventory governance for 10 assets or 10,000, with zero recurring overhead. | Allocating budget to actual infrastructure security rather than monthly “compliance dashboard” fees for simple list-making. |
| Strategic Freedom | Mandates rigid categorization formats that often fail to align with unique data structures or specialized virtual environments. | 100% Agnostic: Procedures adapt to your environment—from high-density data centers to purely virtual, remote-first teams. | The ability to evolve your asset management strategy (e.g., adding lifecycle destruction logs) without a rigid SaaS middleman. |
Summary: For Annex A 5.9, the auditor wants to see that you have a formal inventory of all assets and that owners have been assigned to each one. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.9 Applicable Laws and Related Standards
Mapping ISO 27001 Annex A 5.9 to global regulations and industry frameworks is a critical exercise for any multi-compliance Information Security Management System (ISMS). This alignment ensures that your asset inventory serves as the foundational data source for GDPR, NIS2, and DORA requirements, reducing administrative duplication and providing a unified view of your risk landscape. As a Lead Auditor, I look for these cross-mappings to verify that the organisation understands how asset visibility underpins legal and regulatory resilience.
| Framework / Law | Reference Clause | Mapping Context and Requirement |
|---|---|---|
| GDPR / UK Data (Use and Access) Act 2025 | Article 30 (ROPA) | Requires a Record of Processing Activities, which necessitates an inventory of all information assets containing personal data. |
| NIS2 / UK Cyber Security and Resilience Bill | Article 21 / Asset Management | Mandates asset management as a core risk management measure for essential and important entities, including managed service providers. |
| DORA (Digital Operational Resilience Act) | Article 8 (ICT Asset Management) | Financial entities must maintain an updated inventory of ICT assets and map their dependencies to critical business functions. |
| NIST CSF 2.0 | ID.AM-01, ID.AM-02 | Focuses on identifying physical devices, platforms, and software within the organisation to manage cybersecurity risks. |
| SOC2 (TSC 2017) | CC6.1 (Logical Access) | Controls over the identification of internal and external information assets to ensure appropriate access levels are granted. |
| HIPAA Security Rule | 45 CFR § 164.308(a)(1) | Requires organisations to identify where Electronic Protected Health Information (ePHI) is created, received, maintained, or transmitted. |
| CCPA / CPRA (California) | Section 1798.100 | Necessitates data mapping and inventorying to facilitate consumer requests for data deletion, access, and “do not sell” mandates. |
| EU AI Act / AI Standards | Article 11 (Documentation) | High-risk AI systems must be inventoried and documented with technical specifications, including the data assets used for training. |
| CIRCIA (USA) / UK Reporting Bill | 72-Hour Reporting Mandate | Accurate incident reporting requires an immediate understanding of which assets were impacted and their classification levels. |
| EU Product Liability Directive (PLD) | Software as a Product | Extends strict liability to software, requiring providers to maintain an inventory of software versions and dependencies for flaw tracking. |
ISO 27001 Annex A 5.9 FAQ
What is ISO 27001 Annex A 5.9?
ISO 27001 Annex A 5.9 is an organisational control that requires an organisation to identify and maintain an inventory of information and other associated assets to ensure continued protection.
- Mandates the creation of a formal Asset Register.
- Includes digital data, physical hardware, software, and intangible assets.
- Requires assets to be accurately categorised and assigned to an owner.
- Ensures the organisation understands its attack surface and risk profile.
Is an Asset Register mandatory for ISO 27001?
Yes, maintaining an accurate inventory of information assets is a mandatory requirement for ISO 27001:2022 compliance under control 5.9.
- Auditors will expect to see a documented Information Asset Register (IAR).
- Failure to track assets is often cited as a major non-conformity.
- It serves as the foundation for Annex A 5.12 (Classification) and Annex A 5.10 (Acceptable Use).
- Without an inventory, an organisation cannot prove it has identified all relevant security risks.
What items should be included in an ISO 27001 inventory?
An ISO 27001 inventory must include all assets that store, process, or transmit sensitive organisational information.
- Information Assets: Databases, system documentation, and intellectual property.
- Software Assets: Application software, system software, and development tools.
- Physical Assets: Laptops, servers, mobile devices, and removable media.
- Services: Cloud services (SaaS/PaaS) and outsourced utilities.
Who is responsible for the inventory of assets?
The ultimate responsibility for maintaining the inventory lies with the organisation, but day-to-day accountability is assigned to individual Asset Owners.
- Management must ensure that roles and responsibilities are clearly defined.
- Asset Owners are responsible for the classification and protection of their assigned assets.
- IT teams typically manage the technical tracking of hardware and software.
- Compliance officers ensure the inventory is reviewed and updated periodically.
How often should an Information Asset Register be updated?
The Asset Register should be updated in real-time as assets are commissioned or decommissioned, with a formal review occurring at least annually.
- Changes should be captured during the “Joiner, Mover, Leaver” (JML) process.
- Updates are required following major infrastructure changes or software migrations.
- Quarterly reviews are considered best practice for high-growth organisations.
- Annual audits ensure that “shadow IT” or orphaned assets are identified and removed.
What is the difference between an Asset Register and a Configuration Management Database (CMDB)?
The primary difference is that an Asset Register focuses on ownership and security value (ISO 27001), while a CMDB focuses on technical relationships and service management (ITIL).
- Asset Register: Tracks who owns the data and its classification level.
- CMDB: Tracks how a server connects to a database and its technical configuration.
- Integration: Many organisations use their CMDB to automatically populate the technical portions of their Asset Register.
ISO 27001 Relate Controls and Further Reading
- How to Implement ISO 27001:2022 Annex A 5.9: Inventory of Information and Other Associated Assets
- How to Audit ISO 27001:2022 Annex A 5.9: Inventory of Information and Other Associated Assets
- ISO 27001 Return of Assets Beginner’s Guide
- ISO 27001:2022 Annex A 5.9 for Small Business: You Can’t Protect What You Can’t See
- ISO 27001:2022 Annex A 5.9 for AI Companies: Where Are Your Models?
- ISO 27001:2022 Annex A 5.9 for Tech Startups: Taming the SaaS Chaos
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Asset management | Governance and Ecosystem |
| Integrity | Protection | |||
| Availability |
About the author
