ISO27001 – Control 5.9 – Inventory of information and other associated assets


An inventory of information and other associated assets, including owners, should be developed and maintained.

What this means

Organizations should develop and maintain an inventory of their information assets and other associated resources, including details about who owns each asset. The purpose is to identify all the organization’s important information and assets in order to properly secure them and assign clear ownership responsibilities. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.

The inventory should be accurate, up-to-date, and consistent across the organization. This can be achieved through regular reviews and automated updates when assets are installed, changed, or removed. The inventory can be a set of dynamic lists for different asset types like information, hardware, software, facilities, personnel skills, and records.

Each asset in the inventory should be classified, as per your classification scheme, on the sensitivity of the associated information. The level of detail in the inventory should match the organization’s needs, though some short-lived assets may not need to be documented.

For each inventoried asset, an owner (individual or group user) should be assigned and identified. Owners (or users) are responsible for the full life cycle management of their assets, including:

  • Ensuring assets are inventoried and appropriately classified/protected
  • Reviewing classifications periodically
  • Listing all components that support technology assets
  • Complying with acceptable use policies
  • Controlling access restrictions based on classification
  • Secure deletion/disposal of assets
  • Risk management for their assets
  • Supporting personnel managing the information

Asset inventories are necessary for the effective protection of business information, however they may be required for other purposes such as health and safety, insurance, audits, vulnerability management, and incident response planning. While tasks can be delegated, the designated owner remains accountable.

The most common asset register is that required for devices such as desktops, PC’s, and mobile phones. For each device there should be information about the device, make, model, memory, as well as the asset owner (who has the device been assigned to). The asset register can be a simple spreadsheet or use specific software designed for the purpose.

If you want to talk about information security in your organisation then please book a free call here or email us here