The asset register is one of those ISO 27001 requirements that sounds straightforward but often catches organisations out in the audit. Either it’s too high-level to be useful, or it’s so granular that it becomes impossible to maintain.
Virtually everyone assumes it’s just about tracking laptops, desktops, phones, etc. It’s more than that. It includes ‘Information Assets’ (your data).
This guide explains what an ISO 27001 asset register needs to contain, how to build one that works in practice, and the common mistakes to avoid.
What Is an ISO 27001 Asset Register?
An asset register (sometimes called an information asset register or asset inventory) is a documented list of the information assets your organisation holds, along with key details for each.
It’s required by ISO 27001 Control 5.9 (Inventory of information and other associated assets), which states that your organisation shall identify information and other associated assets and maintain an inventory of them.
The register serves two purposes: it helps you understand what you have (so you can protect it), and it gives auditors the evidence they need to verify that you know your own information landscape.
What Counts as an Information Asset?
This is where many organisations get confused. “Asset” in ISO 27001 means more than just laptops and servers. Information assets fall into several categories:
ISO 27001 Asset Register — Asset Types
Control 5.9 requires an inventory of all information and associated assets. Here are the five main categories.
Register
- Laptops & desktops
- Servers
- Mobile devices
- Printers & scanners
- Network equipment
- Removable media
- Office premises
- Customer data
- Employee records
- Financial data
- Contracts & legal docs
- Intellectual property
- ISMS documentation
- Backup data
- Operating systems
- Business applications
- Security software
- Databases
- Development tools
- Source code
- Licences
- Cloud platforms
- SaaS applications
- Internet & connectivity
- Email & collaboration
- Managed IT services
- Data centres
- Payment processing
- Key personnel
- Roles & skills
- Contractors
- Third-party staff
- Knowledge holders
- Security contacts
You don’t need to include every single item. The register should cover assets that are material to your ISMS scope — the things that, if compromised, would have a meaningful impact on your business or your clients.
What Information Should the Register Capture?
For each asset, the register should capture:
Asset name — what is it? (e.g. “Customer CRM database”, “Staff laptops”, “Microsoft 365 subscription”)
Asset type — information, software, physical, or service
Description — a brief note on what the asset contains or does
Owner — who is responsible for the asset? This should be a named individual, not a team or department.
Classification — how sensitive is the information? (e.g. Confidential, Internal, Public — using whatever classification scheme you’ve defined)
Location — where is the asset held? (e.g. Azure UK South, on-premises server room, staff home offices)
Risk level — a high-level indication of the risk associated with this asset, often derived from your risk assessment
Applicable controls — a reference to the controls in place to protect the asset
Some organisations also include:
- The legal basis for holding the data (relevant for GDPR)
- Retention period (how long you keep it)
- Disposal method
How Granular Should You Go?
This is the question that trips people up often, and the answer matters more than people realise.
The key principle is this: you need to know what you have, who’s responsible for it, and where it is.
Without that, you can’t manage risk, you can’t respond to incidents, and you can’t demonstrate control to an auditor.
For physical devices in particular, individual-level tracking isn’t optional — it’s essential. If John Smith leaves and you don’t know which laptop was his, you can’t verify that it’s been returned, wiped, or decommissioned. That’s not a documentation problem, it’s a security problem. Individual devices — laptops, phones, tablets — should be recorded individually with an assigned user or location.
Where you can afford to be less granular is with asset classes that don’t carry individual risk profiles. Good examples:
- “Staff laptops (Windows 11) — 12 devices, each assigned to named user” — Right level
- “Microsoft 365 (Teams, Exchange, SharePoint, OneDrive)” — Right level
- “Each individual SharePoint site” — Too granular for most ISMSs
- “Laptops — general pool” with no user assignment — Not enough
The test is: if a security incident occurred, or an employee left tomorrow, would this register tell you everything you need to know to respond? If yes, the granularity is right. If you’d have to go hunting for basic information, you need more detail.
For most small organisations, the practical approach is to track physical devices individually, cloud services and software at the system level, and information assets by category — then link each to a named owner.
Who Should Own Each Asset?
Asset ownership is a crucial and misunderstood aspect of the register.
Every asset should have a named owner. The owner is responsible for:
- Ensuring the asset is appropriately protected
- Approving changes to how the asset is used or accessed
- Making decisions about risk acceptance for that asset
- Keeping the register entry accurate
In small organisations, one person might own many assets. That’s fine. What’s not fine is having no named owner — auditors will flag this.
Avoid making the IT team or the “IT manager” the default owner of every asset.
Business-owned data (customer records, financial data) should be owned by business people. The CRM database isn’t an IT asset — it’s a sales or operations asset that IT happens to manage.
Building the Register: A Step-by-Step Approach
Step 1: Define the scope
Before you start listing assets, confirm which parts of your business are in scope for the ISMS. Assets outside the scope don’t need to be in the register.
Step 2: Brainstorm with asset owners
Don’t try to build the register alone. Run short conversations with the heads of each business function — sales, operations, finance, HR, IT — and ask: “What information do you use, create, or store in your work?” You’ll uncover assets you hadn’t thought of.
Step 3: Map data flows
Understanding how information flows through your organisation helps you spot assets you might have missed. Trace a piece of customer data from initial contact to disposal — where does it go? What systems touch it?
You might think it overkill, but knowing this is really important if you have a complex business and lots of data. In smaller businesses, you may just know it – but it can’t hurt to document.
Step 4: Categorise and classify
Once you have a list, categorise each entry (information, software, physical, service) and apply your classification scheme. This is also when you assign owners.
Step 5: Link to your risk assessment
The asset register and the risk assessment are closely linked. Once your register is built, use it to inform which assets you consider in your risk assessment. The risks you identify will, in turn, tell you what controls you need.
Step 6: Review and maintain
The register is a living document. Set a schedule to review it — at minimum annually, or whenever a significant change happens (new system, new supplier, new office). Outdated asset registers are a common audit finding.
Common Mistakes to Avoid
- No named owners. Every asset must have a named individual responsible for it.
- IT assets only. Non-IT staff often have information assets — printed records, shared drives, client files — that don’t appear in IT-led asset inventories. Make sure you’ve captured the full picture.
- Never reviewing it. An asset register from three years ago that hasn’t been updated is worse than no register — it may actually mislead you about what you hold.
- Confusing the register with an ITAM database. Asset management tools are useful but serve a different purpose. Your ISO 27001 register should cover information assets across the business, not just hardware managed by IT.
- Classifying everything as “Confidential.” If everything is equally sensitive, the classification is meaningless. Be honest about what’s actually sensitive and what’s genuinely low-risk.
Free Templates
The ISO 27001 toolkit includes a pre-built asset register template in Excel, aligned to ISO/IEC 27001:2022. It’s formatted with all the right columns, includes worked examples, and links to the other registers and documents in the toolkit.
You can also read more about Control 5.9 for a deeper look at what the standard specifically requires from this control.
/pattern
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
FAQs
Does every laptop need its own entry in the asset register?
For physical devices like laptops, phones, and tablets — yes. Knowing that you have twelve laptops isn’t enough; you need to know which device is assigned to which person. If an employee leaves and you can’t identify which laptop was theirs, you can’t verify it’s been returned and wiped. That’s not a documentation gap, it’s a security gap. Individual device tracking is essential. Where you can be less granular is with software and services — “Microsoft 365” as a single entry is perfectly appropriate, rather than listing every mailbox or SharePoint site.
How do we keep the asset register up to date?
Build a review trigger into your onboarding and offboarding processes (Joiners/Movers/Leavers) — every time a device is issued or returned, the register should be updated. Beyond that, set a formal annual review where asset owners confirm their entries are still accurate, and review it whenever something significant changes: a new system, a new supplier, a new office location, or a major project that introduces new data flows. Outdated registers are one of the most common findings in certification audits.
Who should own assets in the register — IT or the business?
Both, depending on the asset. The default instinct is to make IT the owner of everything, but that’s usually wrong. Customer records are owned by sales or operations. Financial data is owned by finance. HR data is owned by HR. IT manages the systems that hold the data, but the business function that uses and is accountable for the data should be the named owner. This matters because the owner is responsible for risk decisions, access approvals, and keeping the register entry accurate — those are business decisions, not purely IT ones.
What’s the difference between an asset register and an IT asset management database?
An IT asset management (ITAM) database tracks hardware and software for operational purposes — warranty dates, licence counts, hardware specs. An ISO 27001 asset register is broader: it covers information assets (the data itself), services, and people knowledge, not just physical hardware. The two can complement each other, but they serve different purposes. Your ITAM tool might be a useful source of data for the physical assets section of your register, but it won’t cover the rest of what ISO 27001 requires.
Does the asset register need to link to the risk assessment?
Yes — and this is where the register earns its value. The asset register tells you what you have; the risk assessment uses that information to identify what could go wrong with each asset and what controls are needed. If your register and risk assessment aren’t connected, you may end up with risks that reference assets that don’t exist in the register, or assets in the register that haven’t been considered in the risk assessment. Build the register first, then use it as the foundation for your risk assessment.
