ISO 27001 A.5.9: Inventory of information and other associated assets
What This Control Requires
An inventory of information and other associated assets, including owners, shall be developed and maintained.
In Plain Language
You cannot protect what you do not know about. This is one of those foundational controls that everything else depends on - if your asset inventory is incomplete, your risk assessments, access controls, and incident response will all have blind spots.
The inventory covers more than just hardware and software. It includes databases, data files, contracts, documentation, cloud services, and the people and processes that interact with them. Every asset needs a designated owner who is accountable for its protection.
Keeping the inventory current is where most organisations struggle. Assets get acquired, modified, and decommissioned all the time, and the inventory needs to reflect that. Ownership must also be maintained when people move roles or leave. The depth of detail should match the value and sensitivity of the asset - not every laptop entry needs a novel, but your core database certainly deserves more than a one-liner.
How to Implement
Define what counts as an information asset in your organisation and set up a classification scheme. Information assets include databases, data files, contracts, documentation, research, training materials, and operational procedures. Associated assets include hardware, software, network resources, cloud services, and the people and processes around them.
Pick an asset management tool that fits your size. A spreadsheet works for small organisations; larger ones will need a dedicated ITAM tool or CMDB. At minimum, capture: asset identifier, name, type, description, owner, custodian, location, classification, and status.
Run an initial discovery exercise. Use automated tools for IT assets - network scanners, software inventory tools, cloud asset discovery. Then go manual for the non-IT assets: physical records, intellectual property, process documentation. Get business units involved to identify the information assets they own.
Assign an owner to every single asset. The owner is accountable for the asset's lifecycle, classification, access requirements, and eventual disposal. Make sure owners actually understand what that means. Distinguish between the owner (accountable) and the custodian (handles day-to-day management).
Build maintenance into your processes. Integrate asset registration into procurement and provisioning so new assets are recorded automatically. Run quarterly reconciliation for critical assets and annual for everything else. Have a decommissioning procedure that includes removal from the inventory - stale entries are almost as bad as missing ones.
Evidence Your Auditor Will Request
- Complete asset inventory or register covering information and associated assets
- Documented asset owners for all assets in the inventory
- Asset classification records aligned with the organization's classification scheme
- Evidence of regular inventory reviews and reconciliation activities
- Procedures for asset registration, modification, and decommissioning
Common Mistakes
- Asset inventory is incomplete, missing shadow IT, cloud services, or information assets
- Asset owners are not assigned or ownership has not been updated after personnel changes
- Inventory is static and not updated when new assets are acquired or old ones decommissioned
- Only IT hardware is inventoried while information assets and software are omitted
- No regular reconciliation process to verify inventory accuracy
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Partial overlap |
| GDPR | Art.30 | Related |
| NIS2 | Art.21(2)(a) | Partial overlap |
Frequently Asked Questions
What level of detail is needed in the asset inventory?
How do we handle cloud and SaaS assets in the inventory?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment