Buy the 27001 Toolkit

ISO 27001 Control 5.9 – Inventory of Information and Other Associated Assets

If you do not know what you have, you cannot protect it. ISO 27001 Annex A Control 5.9 formalises that idea by requiring an inventory of information and other associated assets – including clear ownership – so they can be managed, protected, and used appropriately.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Developing and Maintaining an Inventory of Information and Other Associated Assets

Control 5.9 asks organisations to develop and maintain an inventory of information and other associated assets, including their owners. In practice, this means you need a reliable list of:

  • The information you rely on (data, records, documents, configurations, code, etc.)
  • The assets that create, process, store, or transmit that information (systems, services, infrastructure, people and third parties)
  • Who is accountable for each one

That inventory becomes the foundation for risk assessment, access management, acceptable use, incident response, and many other controls across your ISMS.

Purpose of an Asset Inventory

A good asset inventory is not just an admin exercise; it is a key security and governance mechanism. The primary purposes are to:

  • Identify what needs protecting
    Understand what information exists, where it sits, and which supporting assets are involved.
  • Support risk-based protection
    Link assets to business processes and risks so that security measures are applied where they matter most.
  • Assign ownership and accountability
    Make it clear who is responsible for the security and lifecycle of each asset.
  • Enable efficient operations and change
    Support troubleshooting, capacity planning, change management and incident response by knowing what you have and how it fits together.
  • Demonstrate control for audits and regulators
    Provide evidence that you understand your information landscape and are managing it deliberately, not by accident.

Essential Guidelines for Asset Inventory Management

1. Identifying and Documenting Assets

Start with the question: “What do we rely on to deliver our services and protect our information?” Then capture those assets in a structured way.

Typical asset categories include:

  • Information assets
    • Customer records, transactional data, logs
    • Source code, configuration files, design documents
    • Contracts, HR files, finance records
  • Hardware and infrastructure
    • Servers, laptops, desktops, mobile devices
    • Network devices (routers, switches, firewalls, Wi-Fi access points)
    • On-premises and data centre equipment
  • Software and services
    • Line-of-business applications, databases, SaaS platforms
    • Operating systems, virtual machines and containers
    • Cloud services (IaaS, PaaS, serverless functions)
  • Facilities and environmental components
    • Offices, comms rooms, server rooms, secure storage areas
    • Power, cooling, UPS, physical access systems
  • People and third parties
    • Key internal roles (e.g. product owner, security officer, system owner)
    • Managed service providers, hosting providers, critical suppliers

Aim to record at least:

  • Asset name and description
  • Asset type/category
  • Owner
  • Location (logical and/or physical)
  • Link to relevant systems, services, or processes

Smaller organisations can often combine this with their risk register; larger environments usually benefit from dedicated asset registers and configuration management databases (CMDBs).

2. Ensuring Inventory Accuracy and Consistency

An out-of-date inventory quickly becomes a liability. To keep it useful:

  • Integrate with joiners/movers/leavers and change processes
    • Add or update assets when new systems, services, or suppliers are introduced.
    • Update ownership when people change roles.
    • Remove or mark assets as retired when decommissioned.
  • Use automation where possible
    • Feed from device management, cloud consoles, identity platforms, or CMDB tools.
    • Use discovery scans for networks, servers, and cloud workloads – especially in larger environments.
  • Run periodic reviews
    • Schedule regular checks (e.g. quarterly) for each asset class or service area.
    • Ask owners to confirm that the list for their area is complete and accurate.
  • Align formats and definitions
    • Use consistent naming, classification levels, and fields across all inventories.
    • Decide upfront whether you maintain one master inventory with views, or several aligned sub-inventories.

3. Asset Classification and Criticality

Control 5.9 links directly to how you classify and protect information and assets.

For each asset (or group of assets):

  • Apply information classification
    • Use your agreed scheme (e.g. Public, Internal, Confidential) to reflect confidentiality, integrity and availability requirements.
    • Make sure the classification drives practical security measures: access control, encryption, handling rules, etc.
  • Record business criticality
    • Note which processes or services depend on the asset.
    • Identify “single points of failure” or assets whose loss would significantly impact operations, safety, or compliance.
  • Tie into other controls
    • Classification and criticality should influence backup, resilience, monitoring, and incident response priorities (e.g. controls 5.12, 5.29, 5.30).

Ownership and Accountability in Asset Management

A central part of 5.9 is the combination of inventory and ownership. It is not enough to know that an asset exists; someone must be accountable for it.

1. Assigning Ownership

For each information asset or associated asset:

  • Assign a named owner at the point it is created, acquired or brought under your control.
  • Make sure ownership is captured in the inventory and visible to relevant teams.
  • Reassign ownership promptly when people change roles or leave the organisation.

Ownership can be tied to:

  • A specific role (e.g. “Head of Operations”, “Head of Engineering”)
  • A named individual (with clear deputies)
  • A function or service owner (for complex systems that cut across teams)

The key point: the asset owner is accountable, even if routine tasks are delegated elsewhere.

2. Responsibilities of Asset Owners

Owners are typically responsible for:

  • Keeping the asset inventory entry accurate and up to date
  • Making sure appropriate information classification is applied
  • Ensuring security controls are defined and implemented based on risk
  • Approving who can access the asset and reviewing access periodically
  • Ensuring secure transfer or disposal of the asset and updating records accordingly
  • Providing guidance to custodians and users on how the asset should be handled

You can support owners by giving them:

  • Simple guidance notes or a RACI for asset management
  • Dashboards from your CMDB, MDM, or cloud tools showing “their” assets
  • Reminders before scheduled reviews or when changes affect their area

Integrating Asset Inventories into Organisational Processes

1. Supporting Security and Compliance

A well-designed inventory makes many other activities easier:

  • Risk management
    • Link assets to risks and controls so you can see where your security investments are going and where gaps remain.
  • Incident management
    • When something goes wrong, you can quickly identify affected assets, owners, and dependencies.
  • Audit and assurance
    • Both internal and external auditors will look for evidence that you know what you are protecting under your ISMS scope, and that ownership is clear. Advisera+1

2. Delegating Tasks Without Losing Accountability

Day-to-day activities such as:

  • Patching and technical maintenance
  • Monitoring and logging
  • Backup and restore
  • Onboarding and offboarding of users

can be delegated to IT, security, or suppliers, but accountability remains with the asset owner.

Make this explicit in your procedures and contracts so there is no confusion between “who does the work” and “who is accountable for the asset”.

3. Grouping Assets Around Services

Rather than managing each asset as a separate island, group related assets around business services or systems. For example:

  • “Customer portal” may include:
    • Application servers, database, CDN, WAF, source code repository, logging platform, and relevant SaaS tools.
  • “HR information” may include:
    • HR system, payroll, document storage, identity management, and key reports.

Assign a service owner and make sure the inventory reflects the relationship between information, assets, and services. This is often much easier for people to understand and manage than a long flat list.

Leveraging Standards and Tools for Better Asset Management

ISO 27002 expands on Control 5.9 with practical implementation guidance, and you can also draw on other standards and frameworks to strengthen your approach, for example: ISMS.online+1

  • ISO/IEC 27002:2022
    Provides detailed guidance on what to include in asset inventories, how to handle ownership, and how this interacts with other controls.
  • ISO 55001 – Asset Management
    Useful where physical assets (plant, machinery, infrastructure) play a major role and you want a more mature asset management discipline.
  • ISO/IEC 19770-1 – IT Asset Management
    Helpful for organisations managing large numbers of software licences, devices, and cloud services.

On the tooling side, many organisations use a combination of:

  • Device management (MDM/endpoint management)
  • Cloud provider inventories and configuration tools
  • CMDB and IT service management platforms
  • Spreadsheets or simple databases for smaller environments

The standard is deliberately technology-neutral: you can meet Control 5.9 with anything from a well-maintained spreadsheet to a full CMDB, as long as the inventory is reliable and actually used.

FAQs

What does ISO 27001 Control 5.9 actually require?

In simple terms, 5.9 expects you to:

  • Identify the information and other associated assets that matter
  • Record them in an inventory (or several linked inventories)
  • Assign ownership for those assets
  • Keep that information accurate, current, and aligned with your ISMS scope and risks

What counts as “information and other associated assets”?

Typical items include:

  • Information: data sets, documents, records, code, logs, designs, configurations
  • IT assets: servers, endpoints, mobile devices, networking equipment, cloud resources
  • Applications and services: on-premises systems, SaaS platforms, APIs, integrations
  • Facilities: offices, server rooms, secure storage areas, key environmental components
  • People and third parties: roles or suppliers that are essential to managing or processing information

If an item helps create, process, store, or transmit information within your ISMS scope, it is a candidate for the asset inventory.

Do small organisations really need a formal CMDB?

No. The control is about having a reliable inventory, not about buying specific tools. A small organisation might meet 5.9 by:

  • Listing key information and assets in a risk register
  • Maintaining a simple spreadsheet with asset details and owners
  • Reviewing it periodically and updating it when changes occur

What matters is that the inventory is complete for your scope, used in practice, and kept current.

How often should we review the asset inventory?

There is no fixed ISO rule, but a sensible approach is to:

  • Update the inventory as part of change management and procurement
  • Run a light review (e.g. quarterly) for high-risk or critical services
  • Run a fuller review annually or as part of your internal audit cycle

The more dynamic your environment (e.g. heavy use of cloud, frequent releases), the more you will rely on automation and more frequent checks.

How does 5.9 relate to 5.10 and 5.11?

  • 5.9 – Inventory of information and other associated assets
    Establishes what assets exist and who owns them.
  • 5.10 – Acceptable use of information and other associated assets
    Sets the rules for how those assets should be used.
  • 5.11 – Return of assets
    Ensures assets are returned or access is revoked when people leave or change roles.

Together, these controls form a logical chain: know what you have, define how it can be used, and make sure it comes back or is disconnected when it should.

Conclusion

An effective inventory of information and other associated assets is one of the quiet foundations of a strong ISMS. By:

  • Identifying your information and supporting assets
  • Assigning clear ownership and responsibilities
  • Keeping your inventory accurate and integrated into everyday processes

you make it much easier to manage risk, demonstrate compliance, and respond quickly when things change.

ISO 27001 Control 5.9 is not about creating a beautiful list for an auditor; it is about giving your organisation a clear picture of what matters, who is responsible, and how those assets are being protected in practice.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG