Inventory of assets is a comprehensive governance requirement under ISO 27001 Annex A 5.9 for identifying and categorising organisational resources. The provision of a formal asset register is the primary implementation requirement, delivering the business benefit of complete risk visibility and preventing unauthorised data access throughout the lifecycle.
What is Inventory of assets?
An asset inventory is a detailed list of all the things a company owns. Think of it like a treasure map for a business’s stuff, but instead of ‘X marks the spot,’ the map shows exactly what each item is, where it is, and who’s in charge of it. This includes everything from computers and software to office furniture and important documents. Keeping this list up-to-date helps a company know what it has and where everything is.
Examples
- Computers: This includes laptops, desktops, and servers. Each entry would list the computer’s name, its location, and the person who uses it.
- Software: This list would include all the programs a company has, like word processors, design tools, and security software.
- Data: This is a record of important information, such as customer lists and financial reports. It’s important to know where this data is stored and who can access it.
Context
An asset inventory is a key part of asset management, which is the process of keeping track of and managing a company’s assets. It’s super important for things like figuring out what equipment needs to be replaced, making sure a business has enough insurance, and keeping its information safe. Without a good inventory, a business might not know if something is missing or if it’s being used incorrectly. This can lead to problems like lost items or security risks.
How to implement Inventory of assets
Implementing a robust inventory of assets is a mandatory requirement for ISO 27001 compliance, specifically under Annex A 5.9. As a Lead Auditor, I can confirm that you cannot protect what you do not know you have. This 10-step technical roadmap ensures that every piece of hardware, software, and data is accounted for, assigned to an owner, and protected throughout its lifecycle to satisfy rigorous audit criteria.
1. Provision a Centralised Asset Register Template
Establish a primary database or spreadsheet to act as the single source of truth for all organisational assets. This structure ensures consistency across departments and facilitates seamless reporting during external audits. Key requirements include:
- Defining mandatory fields such as Asset ID, Description, and Location.
- Categorising assets into hardware, software, information, and services.
- Ensuring the register is hosted in a secure, version-controlled environment.
2. Identify and Log Physical Hardware Assets
Provision a physical discovery process to identify all tangible equipment used by the organisation. Identifying physical assets prevents “Shadow IT” and ensures all endpoints are within the security perimeter. Technical actions include:
- Recording serial numbers for laptops, servers, and mobile devices.
- Identifying network infrastructure such as routers, switches, and firewalls.
- Documenting the physical location or the primary user for each hardware item.
3. Map Digital and Virtual Software Assets
Provision automated discovery tools to list all software licences and cloud-based services in use. Mapping software prevents the use of unauthorised applications and identifies legacy systems that require patching. Technical requirements include:
- Identifying SaaS applications and internal bespoke software.
- Recording version numbers and licence expiry dates.
- Identifying virtual machines and containerised environments.
4. Document Critical Information and Data Sets
Categorise the data assets that the organisation processes, stores, or transmits. Documenting information assets is vital for complying with data protection laws like GDPR and the UK Data Protection Act 2018. Technical requirements include:
- Identifying databases, file shares, and sensitive intellectual property.
- Mapping data flows between internal systems and third-party vendors.
- Documenting the format of the data, whether digital or physical paper records.
5. Assign Formal Asset Owners
Formalise accountability by assigning a specific individual to be responsible for the security of each asset. Without an owner, security controls are rarely maintained, and risks go unaddressed. Requirements include:
- Defining the owner as the person with the authority to manage the asset’s risk.
- Ensuring owners are aware of their responsibilities for classification and access review.
- Recording the owner’s name and department within the Asset Register.
6. Formalise Classification and Handling Rules
Determine the value and sensitivity of each asset based on the organisation’s Information Classification Policy. Proper classification ensure that 100% of high-risk data receives the most stringent security controls. Implementation steps involve:
- Labelling assets as Public, Internal, Confidential, or Restricted.
- Defining handling requirements for storage, transmission, and disposal.
- Linking classification levels to automated Data Loss Prevention (DLP) rules.
7. Link Asset Inventory to IAM Roles
Enforce the Principle of Least Privilege by linking asset access to Identity and Access Management (IAM) roles. Linking access to the inventory prevents unauthorised modification of sensitive data and hardware. Technical requirements include:
- Mandating Multi-Factor Authentication (MFA) for all administrative access to critical assets.
- Defining specific IAM permissions based on asset classification.
- Recording which user roles are permitted to access or modify specific assets.
8. Audit Physical Presence and Software Versions
Audit the inventory at least annually to verify that the recorded assets still exist and are in the correct location. Regular auditing identifies lost or stolen equipment and ensures software is up to date. Audit tasks include:
- Performing physical spot checks of hardware against the Asset Register.
- Running vulnerability scans to verify software version accuracy.
- Updating the register to reflect any changes in asset status or ownership.
9. Enforce Secure Disposal and Return Protocols
Revoke access and trigger secure destruction procedures when an asset reaches the end of its useful life. Secure disposal prevents data leaks from decommissioned hardware or orphaned software accounts. Necessary steps are:
- Using certified data destruction services for physical media.
- Ensuring all company data is wiped before hardware is repurposed or sold.
- Documenting the disposal method and date for the audit trail.
10. Update Records for Employee Offboarding
Revoke asset assignments and retrieve physical equipment immediately upon the termination of a contract. Prompt retrieval of assets is a critical auditor focus to prevent unauthorised data access post-employment. Offboarding requirements include:
- Checking the Asset Register during the exit interview to ensure 100% return rate.
- Disabling user accounts linked to specific software assets.
- Updating the Asset Register to show the item is now in “Storage” or “Unassigned”.
Inventory of assets FAQ
What is an inventory of assets in ISO 27001?
An inventory of assets is a comprehensive register of all information, software, physical equipment, and services within an organisation’s ISMS scope. Under ISO 27001 Annex A 5.9, 100% of these assets must be identified, documented, and assigned to a specific owner to ensure accountability and effective risk management.
Why is an asset register critical for ISO 27001 compliance?
An asset register is critical because it serves as the foundational baseline for the risk assessment process. You cannot protect what you have not identified; failing to document 100% of assets often leads to security gaps, with industry data suggesting that unidentified “Shadow IT” accounts for up to 30% of successful organisational breaches.
What categories of assets must be included in the inventory?
ISO 27001 requires the categorisation of assets into four primary technical groups to ensure thorough protection coverage. A compliant inventory must include:
- Information Assets: Databases, sensitive data sets, system documentation, and intellectual property.
- Software Assets: Application software, operating systems, and development tools.
- Physical Assets: Servers, laptops, mobile devices, networking equipment, and removable media.
- Services: Cloud computing (SaaS/IaaS), communication services, and critical utilities like power or cooling.
Who is responsible for maintaining the inventory of assets?
The designated “Asset Owner” is responsible for ensuring that 100% of their assigned assets are classified and protected throughout their lifecycle. Under ISO 27001, owners are typically senior managers with the authority to manage the asset’s specific security risks, ensuring regular reviews of access permissions and secure disposal protocols.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to the inventory of assets:
- ISO 27001:2022 Annex A 5.9 Inventory Of Information And Other Associated Assets: This control requires an organisation to create and maintain an inventory of all assets associated with information and information processing facilities.
- ISO 27001:2022 Annex A 5.11 Return Of Assets: This controls sets rules for returning assets to the organisation when no longer required.
- ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets: This control requires that rules be established and enforced for the acceptable use of information and assets.
- ISO 27001:2022 Annex A 7.9: Security Of Assets Off-Premises: This control requires controls to be in place when assets are away from the organisation.
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 5.9: Inventory of Information and Other Associated Assets | Core Requirement: The primary control that mandates organizations to identify, document, and maintain an inventory of all assets associated with information and information processing facilities. |
| ISO 27001 Annex A 5.10: Acceptable Use of Information and Other Associated Assets | Asset Governance: Requires established rules for how the assets listed in the inventory must be used by employees and contractors. |
| ISO 27001 Annex A 5.11: Return of Assets | Lifecycle Management: Sets the rules for ensuring that assets identified in the inventory are returned to the organization when an individual’s employment or contract ends. |
| ISO 27001 Annex A 7.9: Security of Assets Off-Premises | Physical Protection: Focuses on the security measures required when physical assets from the inventory (like laptops) are taken away from the organization’s main locations. |
| ISO 27001 Annex A 5.12: Classification of Information | Asset Value: Once assets are inventoried, they must be classified to determine the level of protection they require based on their importance to the business. |
| Glossary: Information Asset | Asset Category: A critical type of asset that must be included in the inventory, encompassing customer lists, financial reports, and intellectual property. |
| Glossary: Risk Assessment | Operational Input: The inventory of assets is a fundamental prerequisite for a risk assessment; you cannot protect or assess the risks to what you have not identified. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Inventory of Assets is categorized as a foundational asset management and security requirement. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
