Home / ISO 27001 Templates / ISO 27001 Physical Asset Register Explained + Template

ISO 27001 Physical Asset Register Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

You cannot control what you do not know so the ISO 27001 physical asset register is the register of all things that store, transmit or process data. There are some key things to record about assets.

Think of it as a detailed list of all your company’s physical stuff. It’s a key part of keeping your business’s information safe and sound, especially if you’re aiming for an ISO 27001 certification.

What Is It?

Physical Asset Register is just a fancy name for an inventory of all your physical assets. We’re talking about things you can touch and see. This isn’t just a list, though; it’s a way to keep track of who uses what, where it’s located, and how important it is. It’s an essential document for showing you’re serious about protecting your assets.

Applicability to Small Businesses, Tech Startups, and AI Companies

This asset register is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • Small Businesses: You might think you don’t need this, but you do. Even a handful of laptops and servers need to be tracked to ensure your customer data is safe.
  • Tech Startups: You’re all about innovation, but don’t forget the basics. Laptops, servers, and even your fancy office security system are all physical assets that need to be accounted for.
  • AI Companies: Your physical assets might include high-powered servers, specialized hardware for machine learning, and racks of data storage. Protecting these is crucial to your core business.

ISO 27001 Physical Asset Register Template

The ISO 27001:2022 Physical Asset Register Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

ISO27001 Physical Asset Register Template

Why You Need It

Honestly, everyone! If you handle sensitive information, you need a way to protect the physical things that hold that information.

You need it to show you’re serious about information security. The ISO 27001 standard requires you to manage your assets to protect your information. This register is a big part of that. It helps you:

  • Identify risks: If you know what you have, you can protect it better.
  • Prevent theft: It’s tough to steal something that’s being tracked.
  • Manage repairs and maintenance: You can easily see when a device needs an update or a check-up.

When You Need It

You need a physical asset register when you’re getting serious about your security. The best time to start is when you first get a piece of equipment, but if you haven’t started yet, there’s no time like the present! It’s a key part of your journey toward ISO 27001 certification.

Where You Need It

You need it for every physical item that helps your business run. This includes everything from laptops and mobile phones to servers, network routers, and even your office keys. If it holds or helps protect data, it should be in your register.

How to Write It

Writing one is easy! You can use a simple spreadsheet. Just be sure to include:

  • Asset Name: Like “Dell XPS Laptop.”
  • Asset ID: A unique number for each item.
  • Location: Where it is right now (e.g., “Marketing Department,” or “Server Room”).
  • Owner: The person responsible for the item.
  • Description: What it is and what it’s used for.
  • Importance Level: How critical is this asset to your business? (e.g., “High,” “Medium,” “Low”).

How to Implement It

Getting started is simple.

  1. Do an inventory: Walk around your office and list everything.
  2. Create your spreadsheet: Use the fields we mentioned above.
  3. Assign IDs: Put a unique sticker or tag on each item.
  4. Keep it updated: Every time you get a new piece of equipment, add it to the list.

Examples of using it for small businesses

You have 10 laptops and a small server. Your register would list each laptop with its user and a unique ID. It would also track your server and where it’s kept.

Examples of using it for tech startups

Your register includes all the laptops for your developers, a server rack in a co-location facility, and a biometric scanner for your office.

Examples of using it for AI companies

: You’d track your high-end graphics cards, specialised servers for AI models, and the network hardware that connects it all.

How the ISO 27001 Toolkit Can Help

Instead of starting from scratch, you can get a head start with an ISO 27001 toolkit. This includes pre-made templates for things like your physical asset register. They can save you tons of time and make sure you’ve got all the right fields and information to comply with the standard.

ISO 27001 Toolkit

Information security standards that need it

This asst register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has specific controls that relate to a physical asset register. Some of the most important ones include:

ISO 27001 Physical Asset Register FAQ

What is an ISO 27001 physical asset register used for?

An ISO 27001 physical asset register is used to record the physical devices that store, process or transmit data through and organisation. It records key control information. We cannot protect what we do not know about so we record all our devices.

How does an information security asset register differ from an accounting asset register?

For information security asset registers we are only interested in assets that process, store or transmit data. An accounting asset register is a register of all assets and by example would include screens, chairs, desks, computer mice.

What does an ISO 27001 physical asset register contain?

A list of assets that process, store or transmit data as well as control information such as – who owns the asset, what it does, what data it processes, what classification it is, what criticality it is, physical characteristics, the date it was last reviewed and by who, the status of encryption and anti virus.

Where can I download an ISO 27001 physical asset register template?

An ISO 27001 physical asset register template can be downloaded from High Table: The ISO 27001 Company.

What is the best format for an ISO 27001 physical asset register?

In our experience a spreadsheet works best, so an ISO 27001 physical asset register xls

What if I lose an item?

You’d mark it as “lost” in your register, note the date, and start a search.

Does my physical asset register need to be digital?

 It can be on paper, but a digital spreadsheet is way easier to manage and update.

What’s the difference between this and a regular inventory list? 

This one is specifically focused on security and is required by the ISO 27001 standard.

Do I need to track office furniture? 

Not usually, unless it holds a lot of sensitive information, like a secure filing cabinet.

What about software?

That’s a different register. This one is just for physical stuff.

How often should I update it?

You should update it every time you add or remove an asset.

What if an item is off-site?

You still track it and note its location, like “Home Office” or “Remote.”

Can one person manage the whole thing? 

Yes, but it’s good to have a backup person who knows how it works.

What if I have too many items? 

You can group similar items together, like “Dell Laptops (x15),” but it’s better to list each one separately if you can.

Do I need a formal template? 

A simple spreadsheet is fine, as long as it includes all the necessary information.

What if a piece of equipment is old?

 You still track it! Even old equipment can be a security risk.

What if someone leaves the company? 

You’d update the owner field and make sure the asset is returned.

Is this just for certification? 

No, it’s also just good business practice!

What if a device breaks?

You would update the status in the register to “out of service” or “disposed of.”

What if my company is all remote? 

You still need to track all the equipment you’ve given to your employees.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.