High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets

ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets

Last updated Aug 31, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Inventory Of Information And Other Associated Assets

Introduction

I am going to show you what ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over 30 years experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001 update and exactly what you need to do for ISO 27001 certification.

Table of contents

ISO 27001 Inventory Of Information And Other Associated Assets

In this ultimate guide to ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets you will learn

  • What is ISO 27001 Asset Management?
  • How to implement Asset Management for ISO 27001

What is ISO 27001 Annex A 5.9?

ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets is an ISO 27001 control that requires an organisation to develop and maintain an inventory of information and other associated assets.

We cannot control what we do not know so this clause is about understanding our data and the assets that process, store or transmit it.

ISO 27001 Annex A 5.9 Purpose

The purpose of ISO 27001 Annex A 5.9 is to ensure you identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.

ISO 27001 Annex A 5.9 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.9 as:

An inventory of information and other associated assets, including owners, should be developed and maintained.

ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

Implementation Guide

You are going to have to ensure that

  • information and assets are identified
  • the importance of information and assets is determined
  • information and assets are documented
  • documentation is accurate, up to date and consistent
  • the location of assets is recorded
  • assets are classified
  • ownership of assets is allocated when created or transferred to the organisation and reassigned when current owners leave or change role

Topic specific policy on asset management

You are going to implement a topic specific policy on asset management. You can learn more in our Beginner’s Guide to the Asset Management Policy.

Data Asset Register

You will implement a Data Asset Register.

Physical Asset Register

You will implement a Physical Asset Register that will include virtual machines. You can learn more in our Beginner’s Guide to the Physical Asset Register.

Return of assets

You will implement a process for the return of assets in line with the guidance in ISO 27001 Annex A 5.11 Return of Assets

Acceptable use of assets

You will implement a process for the acceptable use of assets in line with the guidance in ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets.

What about virtual machines?

The standard has been updated to account for virtual machines. It sets out that the level of detail required should be appropriate of the needs of the organisation.

Sometimes it just isn’t feasible to document instances of virtual machines especially if they are short lived as is the case with some virtual machines that can be short lived and have a short duration. That is ok.

Asset Ownership

Assets need to be assigned an owner. The standard allows for ownership to be individuals or groups. Where possible you should try to identify individuals. This can be either named individuals or the job title of the role. By allocating to an individual it will drive more accountability than assigning to a group of people.

What are asset owners duties?

The asset owner is going to be responsible for the management and protection of the asset over its entire lifecycle. They are going to

  • Make sure assets are document and in asset registers
  • Ensure assets have the correct classification and protection
  • Review assets and set intervals which will include access to the asset and the controls protecting the asset
  • Put in place the acceptable use requirements for the asset
  • Be responsible for the correct deletion / disposal of the asset and the documentation recording it including removing from asset registers.
  • Be part of the risk identification and risk management of the assets

Watch the Tutorial

In the video ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Explained show you how to implement it and how to pass the audit.

ISO 27001 Templates

You can save months of effort and do it yourself with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

If you would rather have individual topic specific templates then consider

ISO 27001 Asset Management Policy Template
ISO 27001 Data Asset Register Template
ISO 27001 Physical Asset Register Template

How to comply

To comply with ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Establish and document asset inventories
  • Identify, list and document the assets
  • Assign owners to assets
  • Protect and ensure adequate controls for assets based on risk and classification
  • Review asset inventories and access to assets

How to pass the audit

To pass an audit of ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.

What will an audit check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have an inventory of assets

What this means is that you need to show that you have asset inventories in place. It does not need to be one inventory but every asset must be in an inventory.

2. That you have taken action as a result of asset inventories

Your asset registers and asset inventories are going to be living documents with asset owners documented and assigned and the key controls and required components of the registers recorded. The audit will check that reviews are performed and that access to assets has been performed. It will check the implemented and documented controls that protect those assets.

3. That asset inventory forms part of risk management and operations

Your asset register will factor in and evidence risk management. This could be management of the risks associated with assets or the risks that the assets themselves pose.

Top 3 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.9 are

1. Your asset register and asset inventory does not include all assets

Remembering the scope is the scope statement and your ISO 27001 scope it is easy to focus on data assets that relate to data protection and miss the wider data assets. Code repositories are a good example. Focusing on productions assets and not considering development and test. Stating that VMS are not assets or are too hard to manage and document.

2. You do not evidence ownership or actions

Be sure owners are assigned and that actions such as access reviews and asset reviews can be evidenced. Do not overlook end of life processes, destruction of assets or when asset owners leave or change role.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Certification Strategy Session

ISO 27001 Asset Management FAQ

Is ISO 27001 inventory of information and other associated assets a new ISO 27001 control?

No. The requirements are the same it just expands on what it expects. It replaces ISO 27001:2013 8.1 Responsibility for Assets.

Why is ISO 27001 Annex A 5.9 important?

The purpose of this control is to identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership.
It is important because inventories of assets allows is to protect those assets. We cannot protect what we do not know.
With an asset inventory we can support risk management, recovery planning and business continuity. Incident management, patch management, end point and antivirus management are all reliant on asset inventories. It may be that they are also required for other purposes. Those purposes could be financial, insurance, health and safety.

What are the 3 types of ISO 27001 assets?

The 3 types of ISO 27001 assets are:
Physical Assets: physical assets that store, process or transmit information
Data Assets: the data and information that is stored, processed or transmitted and flows through the organisation
Virtual Assets: Virtualised machines and virtualised physical devices

When was asset inventories added to ISO 27001?

Asset registers and asset inventories have always been part of ISO 27001 but the numbering was changed and clarification was added as an ISO 27001 control in 2022.

What clause of ISO 27001 covers asset registers/ asset inventories?

ISO 27001 annex A 5.9 covers asset inventories and asset registers.

What clause of ISO 27002 covers asset registers/ asset inventories?

ISO 27002 clause 5.9 covers asset inventories and asset registers.

What is the difference between ISO 27001 annex A 5.9 and ISO 27002 clause 5.9?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO 27001 Annex A 5.9 inventory of assets take me?

That will depend on if you have an asset register and if that asset register is populated. You should have. If not then you need to create an asset register and populate it with assets. Identifying assets will be proportionate to the complexity of your organisation and the maturity of your asset management processes. We have seen this take from days to months to complete.

How much will ISO 27001 Annex A 5.9 inventory of assets cost me?

The main cost will be in the time to identify and inventory the assets and depending on your complexity you should estimate it will take you between a week to several months. Many of the required tools are built into other IT management systems.

What are the requirements of ISO 27001 Annex A 5.9?

The requirements of Annex A 5.9 are divided into the following four areas:
1. Identification of information and other associated assets
2. Classification of information and other associated assets
3. Determination of ownership of information and other associated assets
4. Documentation of the inventory of information and other associated assets

What are the benefits of complying with ISO 27001 Annex A 5.9?

There are many benefits to complying with Annex A 5.9, including:
1. Improved information security
2. Reduced risk of data breaches
3. Increased customer confidence
4. Enhanced compliance with regulations
5. Reduced costs

What are the risks of not complying with ISO 27001 Annex A 5.9?

The risks of not complying with Annex A 5.9 include:
Data breaches
Loss of customer confidence
Regulatory fines
Increased costs

What are the challenges of complying with ISO 27001 Annex A 5.9?

Some of the challenges of complying with Annex A 5.9 include:
The cost of implementing and maintaining an inventory of information and other associated assets
The time and effort required to implement and maintain an inventory of information and other associated assets
The complexity of implementing and maintaining an inventory of information and other associated assets

What are the best practices for complying with ISO 27001 Annex A 5.9?

Some of the best practices for complying with Annex A 5.9 include:
Get senior management support
Use a risk-based approach
Implement a phased approach
Use a qualified ISMS consultant
Keep the inventory up-to-date
Monitor and review the inventory
Continuously improve the inventory

Further Reading

The complete guide to ISO/IEC 27002:2022

ISO 27001 Return of Assets Beginner’s Guide

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveConfidentialityIdentifyAsset managementGovernance and Ecosystem
IntegrityProtection
Availability
Tags: Asset Management Availability Confidentiality Governance and Ecosystem Identify Integrity Preventive Protection
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.