Table of contents
ISO 27001 Inventory Of Information And Other Associated Assets
I am going to show you what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples and do a walkthrough of ISO 27001 Annex A 5.9 Inventory of information and other associated assets.
I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
What is it?
ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets is an ISO 27001 control that requires an organisation to develop and maintain an inventory of information and other associated assets.
We cannot control what we do not know so this clause is about understanding our data and the assets that process, store or transmit it.
Annex A 5.9 is a preventive control that ensures you identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.
The ISO 27001 standard defines ISO 27001 Annex A 5.9 as:
An inventory of information and other associated assets, including owners, should be developed and maintained.ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets
DO IT YOURSELF ISO27001
STOP SPANKING £10,000s
You are going to have to ensure that
- information and assets are identified
- the importance of information and assets is determined
- information and assets are documented
- documentation is accurate, up to date and consistent
- the location of assets is recorded
- assets are classified
- ownership of assets is allocated when created or transferred to the organisation and reassigned when current owners leave or change role
Topic specific policy on asset management
Data Asset Register
You will implement a Data Asset Register.
Physical Asset Register
Return of assets
You will implement a process for the return of assets in line with the guidance in ISO 27001 Annex A 5.11 Return of Assets
Acceptable use of assets
You will implement a process for the acceptable use of assets in line with the guidance in ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets.
What about virtual machines?
The standard has been updated to account for virtual machines. It sets out that the level of detail required should be appropriate of the needs of the organisation.
Sometimes it just isn’t feasible to document instances of virtual machines especially if they are short lived as is the case with some virtual machines that can be short lived and have a short duration. That is ok.
Assets need to be assigned an owner. The standard allows for ownership to be individuals or groups. Where possible you should try to identify individuals. This can be either named individuals or the job title of the role. By allocating to an individual it will drive more accountability than assigning to a group of people.
What are asset owners duties?
The asset owner is going to be responsible for the management and protection of the asset over its entire lifecycle. They are going to
- Make sure assets are document and in asset registers
- Ensure assets have the correct classification and protection
- Review assets and set intervals which will include access to the asset and the controls protecting the asset
- Put in place the acceptable use requirements for the asset
- Be responsible for the correct deletion / disposal of the asset and the documentation recording it including removing from asset registers.
- Be part of the risk identification and risk management of the assets
You can save months of effort and do it yourself with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
If you would rather have individual topic specific templates then consider
How to comply
To comply with ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Establish and document asset inventories
- Identify, list and document the assets
- Assign owners to assets
- Protect and ensure adequate controls for assets based on risk and classification
- Review asset inventories and access to assets
How to pass an audit
To pass an audit of ISO 27001 Annex A 5.9 Inventory of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have an inventory of assets
What this means is that you need to show that you have asset inventories in place. It does not need to be one inventory but every asset must be in an inventory.
2. That you have taken action as a result of asset inventories
Your asset registers and asset inventories are going to be living documents with asset owners documented and assigned and the key controls and required components of the registers recorded. The audit will check that reviews are performed and that access to assets has been performed. It will check the implemented and documented controls that protect those assets.
3. That asset inventory forms part of risk management and operations
Your asset register will factor in and evidence risk management. This could be management of the risks associated with assets or the risks that the assets themselves pose.
Top 3 Mistakes People Make
The top 3 Mistakes People Make For ISO 27001 Annex A 5.9 are
1. Your asset register and asset inventory does not include all assets
Remembering the scope is the scope statement and your ISO 27001 scope it is easy to focus on data assets that relate to data protection and miss the wider data assets. Code repositories are a good example. Focusing on productions assets and not considering development and test. Stating that VMS are not assets or are too hard to manage and document.
2. You do not evidence ownership or actions
Be sure owners are assigned and that actions such as access reviews and asset reviews can be evidenced. Do not overlook end of life processes, destruction of assets or when asset owners leave or change role.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
No. The requirements are the same it just expands on what it expects. It replaces ISO 27001:2013 8.1 Responsibility for Assets.
The purpose of this control is to identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership.
It is important because inventories of assets allows is to protect those assets. We cannot protect what we do not know.
With an asset inventory we can support risk management, recovery planning and business continuity. Incident management, patch management, end point and antivirus management are all reliant on asset inventories. It may be that they are also required for other purposes. Those purposes could be financial, insurance, health and safety.
The 3 types of ISO 27001 assets are:
Physical Assets: physical assets that store, process or transmit information
Data Assets: the data and information that is stored, processed or transmitted and flows through the organisation
Virtual Assets: Virtualised machines and virtualised physical devices
Asset registers and asset inventories have always been part of ISO 27001 but the numbering was changed and clarification was added as an ISO 27001 control in 2022.
ISO 27001 annex A 5.9 covers asset inventories and asset registers.
ISO 27002 clause 5.9 covers asset inventories and asset registers.
Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.
That will depend on if you have an asset register and if that asset register is populated. You should have. If not then you need to create an asset register and populate it with assets. Identifying assets will be proportionate to the complexity of your organisation and the maturity of your asset management processes. We have seen this take from days to months to complete.
The main cost will be in the time to identify and inventory the assets and depending on your complexity you should estimate it will take you between a week to several months. Many of the required tools are built into other IT management systems.
The requirements of Annex A 5.9 are divided into the following four areas:
1. Identification of information and other associated assets
2. Classification of information and other associated assets
3. Determination of ownership of information and other associated assets
4. Documentation of the inventory of information and other associated assets
There are many benefits to complying with Annex A 5.9, including:
1. Improved information security
2. Reduced risk of data breaches
3. Increased customer confidence
4. Enhanced compliance with regulations
5. Reduced costs
The risks of not complying with Annex A 5.9 include:
Loss of customer confidence
Some of the challenges of complying with Annex A 5.9 include:
The cost of implementing and maintaining an inventory of information and other associated assets
The time and effort required to implement and maintain an inventory of information and other associated assets
The complexity of implementing and maintaining an inventory of information and other associated assets
Some of the best practices for complying with Annex A 5.9 include:
Get senior management support
Use a risk-based approach
Implement a phased approach
Use a qualified ISMS consultant
Keep the inventory up-to-date
Monitor and review the inventory
Continuously improve the inventory
Yes, there is an online ISO 27001 at ISO 27001 Online.
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.
Controls and Attribute Values
|Governance and Ecosystem