Inventory management of information and associated assets
Keep an updated list of information and assets, specifying who owns and manages each.
Plain language
This control is about keeping a current and detailed list of all the important information and assets your organisation owns, like computers, data, and software. It's important because without it, you might lose track of who is responsible for what, which can lead to data breaches, misplaced technology, or lost information.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Why it matters
If asset inventories lack completeness and owners, systems and data are missed, leaving unmanaged risks, delayed patching and undetected compromise.
Operational notes
Update the asset register on change events; record owner, location and classification; integrate CMDB/ITSM discovery to reconcile and report inventory gaps.
Implementation tips
- The IT Manager should develop and maintain a comprehensive inventory of all information and assets. They can do this by listing every computer, software, database, and piece of data the organisation uses, noting who is responsible for each item.
- The Operations Manager should ensure this inventory is regularly updated. They should establish a procedure for updating the list whenever new equipment is bought, software is installed, or staff leave the organisation.
- The HR Department should assign ownership of each asset to individuals or teams. They can make a list assigning each piece of information or technology to someone responsible for its maintenance and security.
- The Compliance Officer should check that the inventory is correct and current by conducting regular reviews. They can compare the list with actual assets in the office and any recent purchases or disposals.
- The Board should ensure there is a process for reassigning asset ownership when people change roles or leave the organisation. This involves updating the inventory and ensuring the new owner is aware of their responsibilities.
- The IT Department should set up automated systems to help track changes in the inventory. For instance, when a server is restarted or a new software is installed, these systems can automatically notify the inventory manager.
Audit / evidence tips
-
Askthe most recent asset inventory document. This document should list all information and associated assets along with their assigned owners
-
Goodwill show that updates are timely and align with changes in the organisation’s assets
-
Askto see the process or policy document regarding how asset changes are handled. This document should include procedures for adding, deleting, or transferring asset ownership
-
Askevidence of ownership assignment, such as emails or management system entries
-
Asklog files or audit trails that show asset addition, modification, and removal processes were followed accurately
Cross-framework mappings
How Annex A 5.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-1543 | ISM-1543 requires an authorised RF and IR device register for SECRET and TOP SECRET areas to be developed, maintained, and regularly veri... | |
| ISM-1869 | ISM-1869 requires an organisation to develop, implement, maintain and regularly verify a register of non-networked IT equipment | |
| ISM-2007 | ISM-2007 requires an authorised, maintained, and regularly verified register of approved medical devices for SECRET and TOP SECRET areas | |
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-0336 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including ownership | |
| ISM-1243 | Annex A 5.9 requires an inventory of information and associated assets, including ownership | |
| ISM-1493 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including owners | |
| ISM-1637 | Annex A 5.9 requires an organisation-wide inventory of information and associated assets with ownership | |
| ISM-1638 | Annex A 5.9 requires maintaining an inventory of information and associated assets with ownership | |
| ISM-1713 | Annex A 5.9 requires an inventory of information and associated assets, including ownership, to be developed and maintained | |
| ISM-1737 | Annex A 5.9 requires maintaining an inventory of information and associated assets, including ownership | |
| ISM-1966 | Annex A 5.9 requires maintaining an inventory of information and associated assets, including ownership | |
| handshake Supports (4) expand_less | ||
| ISM-1071 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including identifying owners | |
| ISM-1525 | Annex A 5.9 mandates a maintained inventory of information and associated assets and their owners | |
| ISM-1551 | Annex A 5.9 requires developing and maintaining an inventory of information, associated assets, and owners | |
| ISM-2005 | Annex A 5.9 requires an accurate and maintained inventory of information and associated assets, including ownership | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.