What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, and disposal activities.
Evidence to request
| Evidence | Purpose |
|---|---|
| Information asset inventory | Shows information assets are identified |
| Physical/virtual asset inventory or CMDB | Shows associated technical assets are tracked |
| Asset ownership records | Shows accountable owners are assigned |
| Custodian assignments | Shows day-to-day responsibilities are delegated where needed |
| Classification records | Shows protection expectations are defined |
| Risk assessment records | Shows owners contribute to risk decisions |
| Backup and recovery records | Shows resilience arrangements are recorded |
| Software/license inventory | Shows software and license tracking |
| Disposal records | Shows end-of-life handling is controlled |
| Change and project records | Shows inventory updates are triggered by change |
| Annual stock check or reconciliation records | Shows inventory accuracy is tested |
| Inventory access control and backup records | Shows the inventory itself is protected |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Inventory covers information, hardware, software, virtual assets, services, processes, documents, and media relevant to the ISMS.
- Important assets have owners and custodians where appropriate.
- Business value, classification, location, retention, backup, recovery, and special requirements are recorded.
- Project, procurement, change, and disposal processes update the inventory.
- Owners can explain their responsibilities.
- Disposals record when, how, and to whom assets were disposed.
- Inventory accuracy is periodically checked.
- Inventory access is restricted and backed up.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Inventory only covers finance/accounting equipment.
- Information assets are missing.
- Owners are blank, generic, or all assigned to IT.
- No classification or business value.
- Inventory not updated after projects or changes.
- No disposal records.
- Software, cloud services, and paper records are excluded.
- Inventory stored as an uncontrolled spreadsheet.
Sample interview questions
Ask the inventory owner
- What asset types are included in the inventory?
- How do new assets enter the inventory?
- How are disposals recorded?
- How often is inventory accuracy checked?
- How is the inventory protected?
Ask asset owners
- Which assets do you own?
- What classification applies to your assets?
- What backup and recovery arrangements apply?
- How do you verify custodians are protecting the asset?
- How do you participate in risk assessments?
Ask custodians or IT operations
- Which assets do you operate on behalf of owners?
- How are changes reflected in the inventory?
- How are retired assets removed or marked disposed?
- How do you handle virtual or cloud assets?
Common nonconformities
- No maintained information asset inventory.
- Important assets lack owners.
- Owners do not understand ownership responsibilities.
- Inventory excludes paper, software, cloud, virtual, or service assets.
- Classification not recorded.
- Disposals not recorded.
- Inventory is not updated through project/change management.
- Inventory itself is not protected.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 9
Note Metadata
Aliases: A.5.9 Evidence
Source: 04 Audit Evidence Packs/A.5.9 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Risk Assessment
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- Audit Evidence MOC
- AQ-ISO27001-A.5.9 Inventory of Information and Other Associated Assets
- A.5 Organizational Controls Audit Guide
- A.5.9 Audit Checklist
- Information and Associated Asset Inventory
- Audit Evidence Index