A.5.9 — Inventory of Information and Other Associated Assets

The organisation’s risk assessment identifies 40 risk scenarios, but nobody can say with certainty how many servers are running, which cloud services are in use or who owns the customer database. Risk assessment without asset visibility is guesswork. A.5.9 requires a complete, current and owned inventory of information assets as the foundation for all subsequent security measures.

You cannot protect what you do not know exists. The asset inventory is the single source of truth that links risk assessments, classification, access control and business continuity planning to the real world.

Purpose: To identify the organization’s information and other associated assets in order to preserve their information security and privacy and assign appropriate ownership.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: BSI-Standard 200-2 Kapitel 8.1, ORP.1.A2, ORP.1.A8, OPS.1.1.1.A6, APP.6.A9, IND.1.A4, NET.1.1.A2, INF.11.A5
KPI: % of information assets recorded in a current and complete asset inventory

Responsible	Asset Owner
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Department Head, Facility Manager, HR Manager, Head of IT, IT Administrator, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Software Development Lead, Supply Chain Manager
Informed	All Employees, Asset Owner, Department Head, Information Security Officer / (C)ISO, Top Management

What does the standard require?

Identify all information assets. The organisation must identify all assets relevant to information security — information, software, hardware, services, people, locations and supporting infrastructure.
Assign ownership. Every asset must have a designated owner who is accountable for its lifecycle: from acquisition through classification and protection to disposal.
Maintain the inventory. The inventory must be kept current. New assets are added when acquired, decommissioned assets are removed, and changes (location, owner, classification) are reflected promptly.
Support risk management. The asset inventory provides the input for risk assessment — assets are the objects that threats act upon and that controls protect.

In practice

Start with what you know. Use existing sources — CMDB, procurement records, network scans, software licence management, floor plans — to build the initial inventory. A workshop with department heads fills gaps that automated tools miss, particularly for information assets and personnel knowledge.

Automate discovery where possible. Network scanning tools and IT asset management systems can continuously detect hardware and software on the network. Automated discovery reduces manual effort and catches shadow IT — systems deployed without IT involvement.

Link ownership to job roles. Tie asset ownership to organisational roles rather than named individuals. When someone leaves, ownership transfers automatically with the role. Document this in the RACI matrix and the HR processes.

Integrate with change management. Every change request (new system, decommissioning, migration) should trigger an inventory update. This turns the inventory from a periodic snapshot into a living register.

Typical audit evidence

Auditors typically expect the following evidence for A.5.9:

Asset inventory — comprehensive register of all information assets with owner, type, location and classification
Ownership records — evidence that every asset has an assigned and acknowledged owner
Inventory review records — documentation of periodic reviews confirming the inventory’s completeness and accuracy
Automated discovery reports — output from network scanning or asset management tools showing detected assets
Change management records — showing that asset acquisitions and decommissions triggered inventory updates

KPI

% of information assets recorded in a current and complete asset inventory

This KPI measures inventory completeness. Target: 100% of known assets are registered. In practice, reaching 100% requires both automated discovery and manual validation. Track the gap between discovered assets and registered assets as a maturity indicator.

Supplementary KPIs:

Percentage of assets with a confirmed and acknowledged owner
Number of unregistered assets discovered during audits or scans
Average time between asset acquisition and inventory registration

BSI IT-Grundschutz

A.5.9 maps to a broad set of BSI requirements across different asset types:

BSI-Standard 200-2 Kapitel 8.1 (Structural analysis) — requires identification of all business-relevant information, applications, IT systems, networks and locations.
ORP.1.A2 and ORP.1.A8 (Resource management) — mandates documentation of all resources and their responsible persons.
OPS.1.1.1.A6 (Documentation of IT systems) — requires a current register of all operated IT systems.
APP.6.A9 (Software inventory) — requires a complete inventory of all software in use.
IND.1.A4 (Asset inventory for industrial systems) — extends asset management requirements to operational technology.
NET.1.1.A2 (Network documentation) — requires documentation of the network topology and all connected components.
INF.11.A5 (Inventory of vehicles and mobile assets) — covers assets that are physically mobile.

A.5.9 is the foundation for asset-centric security:

A.5.7 — Threat intelligence: Threat intelligence is only actionable when it can be mapped to specific assets.
A.5.8 — Information security in project management: Projects that create new assets must register them.
A.5.10 — Acceptable use: Acceptable use rules apply to the assets in the inventory.
A.5.11 — Return of assets: Asset return processes depend on knowing what was issued.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.9 — Inventory of information and other associated assets
ISO/IEC 27002:2022 Section 5.9 — Implementation guidance
BSI IT-Grundschutz, BSI-Standard 200-2 — IT-Grundschutz methodology

Frequently asked questions

What counts as an information asset?

Anything that holds value for the organisation in terms of information security: data and databases, software applications, hardware (servers, laptops, network equipment), network infrastructure, cloud services, physical locations (server rooms, offices), personnel with critical knowledge, and documentation (contracts, policies, procedures).

What does asset ownership mean in ISO 27001?

The asset owner is the person or organisational unit accountable for the asset's lifecycle management and protection. Ownership does not imply legal property rights -- it means accountability for ensuring the asset is inventoried, classified, protected and eventually disposed of properly.

How often must the asset inventory be updated?

ISO 27001 does not prescribe a frequency. Best practice is to review the inventory at least annually and to update it whenever assets are acquired, modified, moved or decommissioned. Linking the inventory to procurement and change management processes keeps it current automatically.