Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“An inventory of information and other associated assets, including owners, shall be developed and maintained.”
Plain-language meaning
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
You cannot protect, classify, back up, retain, dispose of, or risk-assess assets you do not know exist.
Why this matters
Asset inventories are the base layer for risk assessment, classification, access control, backup, disaster recovery, retention, disposal, supplier assurance, and audit evidence.
This control is broader than a laptop spreadsheet. It includes information and associated assets such as:
- databases and data sets;
- paper records;
- applications and software;
- servers and endpoints;
- virtual assets and cloud services;
- removable media;
- contracts and system documentation;
- procedures and recovery plans;
- business processes and services;
- systems that store, process, or transmit information.
The inventory should be detailed enough to support Risk Assessment and control decisions. Too much detail becomes unmaintainable; too little detail becomes useless.
Asset ownership
Each important asset needs an owner.
The asset owner is accountable for the asset and its protection. The owner does not have to operate the asset daily, but they must ensure the asset is classified, protected, reviewed, and represented in risk decisions.
Typical asset owner responsibilities:
- determine or approve classification;
- explain business value and criticality;
- support risk assessments;
- ensure appropriate protection;
- approve access or usage rules where relevant;
- keep classification and control expectations current;
- confirm custodians are performing day-to-day protection tasks.
Owner vs custodian
| Role | Accountability | Example |
|---|---|---|
| Asset owner | Accountable for value, classification, protection expectations, and risk decisions | HR director owns employee records |
| Custodian | Handles day-to-day operation, maintenance, or protection on behalf of the owner | IT operations manages the HR database server |
Delegation to a custodian does not remove owner accountability. If the custodian fails, the owner still needs to demonstrate oversight.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define inventory scope
The inventory should include major information and associated assets that require protection or support the ISMS.
Include:
- information assets in technical and non-technical formats;
- physical equipment;
- virtual infrastructure;
- software products and licenses;
- cloud services;
- business services and key processes;
- documentation and contracts;
- backup and recovery dependencies;
- retained records that may be liabilities, such as identity documents.
2. Choose the right level of granularity
The inventory does not need to list every file if grouping by business purpose is more useful.
Examples:
| Asset grouping | When useful |
|---|---|
| Database | Structured data set with clear owner and system |
| Business process | Several assets support one service or workflow |
| Application | Software and data are managed together |
| Record category | Paper or digital records with common retention and protection needs |
| Infrastructure component | Physical or virtual asset needing tracking |
The test is simple: can the inventory support risk assessment, ownership, classification, protection, backup, recovery, retention, and disposal?
3. Record the required fields
Useful inventory fields include:
| Field | Purpose |
|---|---|
| Asset name or identifier | Identifies the item |
| Asset type | Information, software, hardware, service, document, process, media |
| Owner | Shows accountability |
| Custodian | Shows day-to-day responsibility |
| Location or hosting | Shows where it is stored or operated |
| Business value or criticality | Supports risk and continuity decisions |
| Security classification | Drives protection requirements |
| Special characteristics | Personal data, regulated data, confidential data, IP, financial records |
| Backup and recovery arrangements | Supports resilience |
| Retention period or lifespan | Supports legal and disposal requirements |
| License or supplier details | Supports software and service control |
| Disposal record | Shows secure end-of-life handling |
| Last reviewed | Shows inventory maintenance |
4. Maintain the inventory through change
The inventory must be updated when assets are introduced, changed, moved, reassigned, retired, or disposed of.
Trigger points:
- project initiation and closure;
- change management;
- procurement;
- software deployment;
- cloud service onboarding;
- supplier onboarding or exit;
- data migration;
- business process change;
- asset disposal;
- annual stock check.
This connects directly to A.5.8 Information Security in Project Management.
5. Protect the inventory itself
The asset inventory is sensitive. It can show attackers what systems exist, where data is stored, which systems are critical, and who owns them.
Protect it with:
- access control;
- backup;
- integrity protection;
- change history;
- restricted exports;
- periodic review;
- secure handling of old copies.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should confirm that the inventory exists, is complete enough for the organization’s context, is maintained, and includes assigned owners.
Audit work should test:
- whether major information and associated assets are included;
- whether assets are classified;
- whether owners and custodians are assigned;
- whether owners understand their responsibilities;
- whether inventory updates are linked to project and change processes;
- whether disposals are recorded;
- whether the inventory itself is protected;
- whether risk assessments and classification records align with inventory data.
Sampling is important. Pick assets from operations, projects, procurement, cloud subscriptions, paper records, and disposal records, then verify that they appear correctly in the inventory.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Asset inventory | Assets are identified and maintained |
| Information asset register | Information assets and owners are documented |
| CMDB or asset management system | Technical assets are tracked |
| Software license inventory | Software use and licensing are controlled |
| Classification records | Assets have protection expectations |
| Risk assessment records | Owners support risk decisions |
| Backup and recovery records | Resilience arrangements are known |
| Disposal records | End-of-life handling is controlled |
| Change/project records | Inventory updates are triggered by change |
| Annual stock check records | Inventory accuracy is periodically tested |
| Inventory access control records | Inventory is protected |
Strong evidence
- Inventory includes information, physical, virtual, software, service, process, and documentation assets relevant to the ISMS.
- Important assets have owners and, where needed, custodians.
- Classification, business value, location, retention, backup, and recovery details are recorded.
- New assets and disposals are reflected through project, procurement, and change processes.
- Asset owners participate in risk assessment and classification.
- Inventory accuracy is tested periodically.
- Disposal records show when, how, and to whom assets were disposed.
- Inventory access is restricted and backed up.
Weak evidence
- Inventory only lists laptops and ignores information assets.
- Assets have no owner.
- Inventory has owners but no evidence they know their responsibilities.
- Classification is missing or stale.
- New systems are not added until annual review.
- Disposals are not recorded.
- Software and cloud services are not tracked.
- Inventory is an uncontrolled spreadsheet with broad access.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Physical asset inventory only | Information assets and data risks are missed |
| No owner assigned | Accountability is unclear |
| Owner confused with IT custodian | Business value and classification decisions are weak |
| Inventory not linked to change/project processes | New assets are missed |
| No disposal record | Retired assets may leak data or remain licensed |
| No classification field | Protection requirements are unclear |
| Inventory not protected | Sensitive asset map can be exposed |
| Annual stock check skipped | Accuracy decays quickly |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Asset inventory is not only hardware. It includes information and associated assets.
- Owner does not mean day-to-day user or IT operator. The owner is accountable for the asset and protection expectations.
- A custodian can perform daily tasks, but accountability remains with the owner.
- Assets that are liabilities, such as retained identity documents, still need inventory, protection, retention, and disposal control.
- The inventory must be maintained, not merely created once.
- Project and change management should update the inventory.
Related controls and concepts
- Risk Assessment
- Statement of Applicability
- A.5.2 Information Security Roles and Responsibilities
- A.5.8 Information Security in Project Management
- Information Security Management System
- Internal Audit
- Management Review
- Control Owner Register
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.9 requires a maintained inventory of information and associated assets, including owners. The inventory should support risk assessment, classification, protection, backup, recovery, retention, disposal, and audit evidence. Important assets need accountable owners, and day-to-day custodians can be assigned without removing owner accountability.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Asset management
- Asset inventory
- Asset ownership
- Audit
Note Metadata
Aliases: A.5.9, Inventory of Information and Other Associated Assets
Source: 02 Annex A Organizational Controls/A.5.9 Inventory of Information and Other Associated Assets.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5 Organizational Controls MOC
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.5.9 Audit Evidence Pack
- AQ-ISO27001-A.5.9 Inventory of Information and Other Associated Assets
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.9 Inventory of Information and Other Associated Assets
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.9 Audit Checklist
- Template - Control Owner Register
- Delivery and Loading Area Security Checklist
- Equipment Disposal and Reuse Register
- Equipment Siting and Protection Assessment
- Information and Associated Asset Inventory
- Off-Premises Asset Authorization Register
- Physical Security Zone Register
- Remote Equipment Register
- Remote Working Authorization Register
- Template - Risk and Control Mapping Table
- Annex A Controls MOC