Inventory of Information and Other Associated Assets - ISO 27001 Annex A Control

ISO 27001 Annex A 5.9

You cannot protect what you have not identified.

ISO 27001 Annex A 5.9 - Inventory of Information and Other Associated Assets

You cannot protect what you have not identified. The information assets register is the foundation that most other Annex A controls rely on - classification, access control, supplier relationships, retention, deletion, all of these need a clear picture of what assets exist and who is responsible for them.

The control covers more than just databases or files. Information assets include the data the organisation holds, the systems and applications that process it, the physical media it sits on, the documentation and processes around it, and the people who carry knowledge that the organisation depends on. Each asset needs an identified owner, who is accountable for its protection.

The inventory does not have to be exhaustively granular. The point is to have a record at a useful level of detail - enough that controls can be applied to it consistently, but not so detailed that the register becomes impossible to maintain. Most organisations group assets sensibly and record types of information rather than every individual record.

We started with the obvious things - customer database, finance systems, HR records, key documents. Then we worked outwards to less obvious things like the file shares, the email archive and the backup media. The register is not perfect but it is good enough that we can answer the question of what we hold and where.

The owner column is the one that does the work. Once an asset has a named owner, that person becomes accountable for classification, access reviews and retention. Without owners, things drift.

Practical Compliance Guidance

The information assets register sits at the heart of the information security management system. The IMS1 manual covers asset management at section 8.2, with the register itself maintained as a separate document.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS25 Information Assets Register	The register where information assets are listed with classification, protection arrangements and named owner. Update when assets are added, removed or change ownership.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How granular does the inventory need to be?

Detailed enough that the right controls can be applied, but not so detailed that the register cannot be maintained. Most organisations record types of information at a sensible level - "customer records database" rather than every individual customer entry, but separating distinct systems or distinct categories of information.

What other assets besides data should be on the register?

The standard refers to information and "other associated assets" - the systems that process information, the storage media, the documentation, the cryptographic keys, and in some cases the people who hold critical knowledge. The exact scope depends on what is in scope for the management system.

How often should the register be reviewed?

Continuously when assets are added, removed or change ownership, plus a full review at least annually. The annual review should confirm the register is complete, the owners are still correct, and the classification is still appropriate.

Further Resources