UnixTime

Research Note

ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets

The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“An inventory of information and other associated assets, including owners, shall be developed and maintained.”

Plain-language meaning

The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.

You cannot protect, classify, back up, retain, dispose of, or risk-assess assets you do not know exist.

Why this matters

Asset inventories are the base layer for risk assessment, classification, access control, backup, disaster recovery, retention, disposal, supplier assurance, and audit evidence.

This control is broader than a laptop spreadsheet. It includes information and associated assets such as:

  • databases and data sets;
  • paper records;
  • applications and software;
  • servers and endpoints;
  • virtual assets and cloud services;
  • removable media;
  • contracts and system documentation;
  • procedures and recovery plans;
  • business processes and services;
  • systems that store, process, or transmit information.

The inventory should be detailed enough to support Risk Assessment and control decisions. Too much detail becomes unmaintainable; too little detail becomes useless.

Asset ownership

Each important asset needs an owner.

The asset owner is accountable for the asset and its protection. The owner does not have to operate the asset daily, but they must ensure the asset is classified, protected, reviewed, and represented in risk decisions.

Typical asset owner responsibilities:

  • determine or approve classification;
  • explain business value and criticality;
  • support risk assessments;
  • ensure appropriate protection;
  • approve access or usage rules where relevant;
  • keep classification and control expectations current;
  • confirm custodians are performing day-to-day protection tasks.

Owner vs custodian

Role Accountability Example
Asset owner Accountable for value, classification, protection expectations, and risk decisions HR director owns employee records
Custodian Handles day-to-day operation, maintenance, or protection on behalf of the owner IT operations manages the HR database server

Delegation to a custodian does not remove owner accountability. If the custodian fails, the owner still needs to demonstrate oversight.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Define inventory scope

The inventory should include major information and associated assets that require protection or support the ISMS.

Include:

  • information assets in technical and non-technical formats;
  • physical equipment;
  • virtual infrastructure;
  • software products and licenses;
  • cloud services;
  • business services and key processes;
  • documentation and contracts;
  • backup and recovery dependencies;
  • retained records that may be liabilities, such as identity documents.

2. Choose the right level of granularity

The inventory does not need to list every file if grouping by business purpose is more useful.

Examples:

Asset grouping When useful
Database Structured data set with clear owner and system
Business process Several assets support one service or workflow
Application Software and data are managed together
Record category Paper or digital records with common retention and protection needs
Infrastructure component Physical or virtual asset needing tracking

The test is simple: can the inventory support risk assessment, ownership, classification, protection, backup, recovery, retention, and disposal?

3. Record the required fields

Useful inventory fields include:

Field Purpose
Asset name or identifier Identifies the item
Asset type Information, software, hardware, service, document, process, media
Owner Shows accountability
Custodian Shows day-to-day responsibility
Location or hosting Shows where it is stored or operated
Business value or criticality Supports risk and continuity decisions
Security classification Drives protection requirements
Special characteristics Personal data, regulated data, confidential data, IP, financial records
Backup and recovery arrangements Supports resilience
Retention period or lifespan Supports legal and disposal requirements
License or supplier details Supports software and service control
Disposal record Shows secure end-of-life handling
Last reviewed Shows inventory maintenance

4. Maintain the inventory through change

The inventory must be updated when assets are introduced, changed, moved, reassigned, retired, or disposed of.

Trigger points:

  • project initiation and closure;
  • change management;
  • procurement;
  • software deployment;
  • cloud service onboarding;
  • supplier onboarding or exit;
  • data migration;
  • business process change;
  • asset disposal;
  • annual stock check.

This connects directly to A.5.8 Information Security in Project Management.

5. Protect the inventory itself

The asset inventory is sensitive. It can show attackers what systems exist, where data is stored, which systems are critical, and who owns them.

Protect it with:

  • access control;
  • backup;
  • integrity protection;
  • change history;
  • restricted exports;
  • periodic review;
  • secure handling of old copies.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should confirm that the inventory exists, is complete enough for the organization’s context, is maintained, and includes assigned owners.

Audit work should test:

  • whether major information and associated assets are included;
  • whether assets are classified;
  • whether owners and custodians are assigned;
  • whether owners understand their responsibilities;
  • whether inventory updates are linked to project and change processes;
  • whether disposals are recorded;
  • whether the inventory itself is protected;
  • whether risk assessments and classification records align with inventory data.

Sampling is important. Pick assets from operations, projects, procurement, cloud subscriptions, paper records, and disposal records, then verify that they appear correctly in the inventory.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Asset inventory Assets are identified and maintained
Information asset register Information assets and owners are documented
CMDB or asset management system Technical assets are tracked
Software license inventory Software use and licensing are controlled
Classification records Assets have protection expectations
Risk assessment records Owners support risk decisions
Backup and recovery records Resilience arrangements are known
Disposal records End-of-life handling is controlled
Change/project records Inventory updates are triggered by change
Annual stock check records Inventory accuracy is periodically tested
Inventory access control records Inventory is protected

Strong evidence

  • Inventory includes information, physical, virtual, software, service, process, and documentation assets relevant to the ISMS.
  • Important assets have owners and, where needed, custodians.
  • Classification, business value, location, retention, backup, and recovery details are recorded.
  • New assets and disposals are reflected through project, procurement, and change processes.
  • Asset owners participate in risk assessment and classification.
  • Inventory accuracy is tested periodically.
  • Disposal records show when, how, and to whom assets were disposed.
  • Inventory access is restricted and backed up.

Weak evidence

  • Inventory only lists laptops and ignores information assets.
  • Assets have no owner.
  • Inventory has owners but no evidence they know their responsibilities.
  • Classification is missing or stale.
  • New systems are not added until annual review.
  • Disposals are not recorded.
  • Software and cloud services are not tracked.
  • Inventory is an uncontrolled spreadsheet with broad access.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Physical asset inventory only Information assets and data risks are missed
No owner assigned Accountability is unclear
Owner confused with IT custodian Business value and classification decisions are weak
Inventory not linked to change/project processes New assets are missed
No disposal record Retired assets may leak data or remain licensed
No classification field Protection requirements are unclear
Inventory not protected Sensitive asset map can be exposed
Annual stock check skipped Accuracy decays quickly

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Asset inventory is not only hardware. It includes information and associated assets.
  • Owner does not mean day-to-day user or IT operator. The owner is accountable for the asset and protection expectations.
  • A custodian can perform daily tasks, but accountability remains with the owner.
  • Assets that are liabilities, such as retained identity documents, still need inventory, protection, retention, and disposal control.
  • The inventory must be maintained, not merely created once.
  • Project and change management should update the inventory.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.9 requires a maintained inventory of information and associated assets, including owners. The inventory should support risk assessment, classification, protection, backup, recovery, retention, disposal, and audit evidence. Important assets need accountable owners, and day-to-day custodians can be assigned without removing owner accountability.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Asset management
  • Asset inventory
  • Asset ownership
  • Audit

Note Metadata

Aliases: A.5.9, Inventory of Information and Other Associated Assets

Source: 02 Annex A Organizational Controls/A.5.9 Inventory of Information and Other Associated Assets.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.