ISO 27001:2022 Annex A Control 5.9: Inventory of Information and Other Associated Assets

Annex A 5.9 covers how an organisation’s inventory of information and other associated assets should be developed and maintained. The annex reflects an organisation’s need to understand what information assets it has in order to carry out activities securely.

What is an inventory of information assets?

An inventory of information assets (IA) is a comprehensive list of what an organisation stores, processes, or transmit, including the location and security controls for each item. The goal of this is to identify every single piece of data, acting as the data protection equivalent of financial accounting.

IAs are useful for identifying information security risks and vulnerabilities, and can be used as evidence during compliance audits, helping to avoid fines and penalties. The inventory should also include who owns and manages each asset, and information about the value of each asset, both in terms of finance and importance.

It is vital that inventories are kept up to date in order to reflect any changes within the organisation.

Why is annex 5.9 important?

Annex 5.9 is designed to help organisations identify their information and other associated assets, with the goal of preserving information security and assigning appropriate ownership. It covers the control, purpose, and implementation of an inventory of information and other associated assets in line with the ISO 27001 framework.

Annex 5.9 asserts that organisations should categorise their information, identifying owners and documenting the controls that are or need to be in place.

Meeting the requirements of Annex 5.9

Annex 5.9 requires organisations to identify their information and other associated assets, and determine the importance of these items in terms of data security. Organisations will vary in their approach to creating an inventory, depending on their size, industry and the types of information they use.

The inventory of information and other assets should be up to date, consistent, accurate, and aligned with other inventories. It should also include the locations of assets. To achieve this, organisations can:

• Conduct regular reviews of information and other associated assets against their IA.
• Enforce an automatic inventory update while installing, changing or removing an asset.

Some organisations may require several inventories for different purposes, while others may have a single inventory.

How has control 5.9 changed from ISO 27001:2013?

ISO 27001:2022 combined the 57 controls of ISO 27001:2013 into 24 controls, and as such, control 5.9 is a combination of ISO 27001:2013 Annex A controls 8.1.1 and 8.1.2. The purpose of the old control 8.1.1 was to ensure that all assets are identified, documented, and reviewed, while 8.1.2 focused on making sure all information assets are under ownership.

Both of these annexes are similar to 5.9, but the latter has been expanded to be more user-friendly. The four points outlined in 8.1.2 have been expanded into nine points, which state that the asset owner should be responsible for the proper management of an asset during its whole life cycle, ensuring that:

• All information and other assets are inventoried
• Information and other assets are classified and protected
• Classifications are reviewed periodically
• Components supporting tech assets are listed and linked, including software components and sub-components
• Requirements for the acceptable use of assets are established
• Access restrictions correspond with classifications, and other regularly reviewed
• Assets are handled in a secure manner when deleted or disposed
• Risks associated with assets are identified and managed
• Personnel with responsibilities over information management are supported.