The asset register documents every information asset your organisation owns or relies on — from servers and applications to databases, business processes, and physical sites. Without this inventory, risk analysis has no foundation, because you can only protect what you know about.
ISO 27001 Control A.5.9 requires an up-to-date inventory of information assets with clear ownership. BSI IT-Grundschutz demands a comparable structural analysis as the first step toward determining protection requirements.
What does it contain?
The CSV template provides an audit-ready yet manageable asset inventory. Key columns:
- Asset ID and name — unique identifier and a human-readable label
- Category — hardware, software, data, process, personnel, site
- Owner — named individual, with role and organisational unit
- Classification — confidentiality, integrity, and availability on a defined scale (e.g. low / medium / high)
- Location — where does the asset reside physically or logically?
- Dependencies — which other assets or services depend on it?
How to use it
Initial population in a workshop. Invite representatives from IT, business departments, and senior management. Three hours are enough for the first version. Each person names the information assets in their area of responsibility, assigns a category, and estimates the protection requirement. The result is a working document with 30–80 entries (depending on organisation size).
Lifecycle maintenance. Tie the asset register to your change management process. Every new acquisition, decommission, or ownership change triggers an update. Once a year, review completeness during the management review — you will typically find orphaned entries whose owner left the organisation long ago.
Link to risk analysis. Every row in the asset register is assessed for threats and vulnerabilities during risk analysis. The cleaner the inventory, the more efficient the analysis. Gaps in the register mean blind spots in your risk landscape.
| ID | Asset-Name | Typ | Kategorie | Eigentümer | Verwalter | Standort | Klassifizierung | Kritikalität | Umgebung | Beschreibung | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| AST-001 | Kundendatenbank (Prod) | Information | Datenbank | Vertriebsleitung | IT-Betrieb | AWS eu-central-1 | Vertraulich | Hoch | Produktion | Primärer Kundendatenspeicher (PostgreSQL 15) | Aktiv |
| AST-002 | Logistikportal (SaaS) | Anwendung | SaaS | Operationsleitung | Anbieter | Anbieter-Cloud | Vertraulich | Hoch | Produktion | Kundenseitiges Logistik-Tracking-Portal | Aktiv |
| AST-003 | M365-Tenant | Dienst | Cloud | ISB | IT-Betrieb | Microsoft Cloud EU | Intern | Hoch | Produktion | E-Mail Zusammenarbeit und Dateispeicherung | Aktiv |
| AST-004 | Fileserver FS-01 | Hardware | Server | IT-Betriebsleitung | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Hoch | Produktion | On-Prem SMB-Fileshare | Aktiv |
| AST-005 | Domain Controller DC01 DC02 | Hardware | Server | IT-Betriebsleitung | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Kritisch | Produktion | Active Directory Domain Controller | Aktiv |
| AST-006 | Laptops (Flotte) | Hardware | Endgerät | IT-Betriebsleitung | IT-Betrieb | Verteilt | Intern | Mittel | Produktion | 145 verwaltete Windows- und macOS-Laptops | Aktiv |
| AST-007 | ERP-System | Anwendung | On-Prem | CFO | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Hoch | Produktion | SAP Business One | Aktiv |
| AST-008 | Backup-System Veeam | Anwendung | On-Prem | IT-Betriebsleitung | IT-Betrieb | HQ Hamburg RZ + Offsite | Vertraulich | Kritisch | Produktion | Zentrales Backup mit Offsite-Replikation | Aktiv |
| AST-009 | SIEM (Splunk) | Anwendung | On-Prem | ISB | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Hoch | Produktion | Log-Aggregation und Erkennung | Aktiv |
| AST-010 | Firewall-Cluster FW-01/02 | Hardware | Netzwerk | IT-Betriebsleitung | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Kritisch | Produktion | Perimeter-Firewall HA-Paar (Fortinet) | Aktiv |
| AST-011 | VPN-Gateway | Hardware | Netzwerk | IT-Betriebsleitung | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Hoch | Produktion | Remote-Access-Gateway | Aktiv |
| AST-012 | S3-Bucket nwl-marketing | Information | Cloud-Speicher | Marketingleitung | IT-Betrieb | AWS eu-central-1 | Intern | Mittel | Produktion | Marketing-Assets (Public Read deaktiviert) | Aktiv |
| AST-013 | CI/CD-Pipeline (GitLab) | Anwendung | On-Prem | Head of Engineering | IT-Betrieb | HQ Hamburg RZ | Vertraulich | Hoch | Produktion | Quellcodeverwaltung und Build-Pipeline | Aktiv |
| AST-014 | Mobiltelefone (Flotte) | Hardware | Endgerät | IT-Betriebsleitung | IT-Betrieb | Verteilt | Intern | Mittel | Produktion | 38 verwaltete iOS-Geräte | Aktiv |
| AST-015 | HR-Datenbank (Personio) | Information | SaaS | HR-Leitung | Anbieter | Personio EU | Vertraulich | Hoch | Produktion | Mitarbeiter-Stammdaten | Aktiv |
| AST-016 | Physisches HQ-Gebäude | Einrichtung | Gebäude | Facility-Leitung | Facility | Hamburg | Intern | Hoch | Produktion | Hauptbüro 1200 qm + Serverraum | Aktiv |
| AST-017 | Lohndaten | Information | Datei | HR-Leitung | HR | Personio + lokales Archiv | Streng vertraulich | Hoch | Produktion | Monatliche Lohnabrechnungen | Aktiv |
| AST-018 | Vertragsarchiv | Information | Datei | Legal | Legal | M365 SharePoint | Vertraulich | Mittel | Produktion | Unterschriebene Verträge | Aktiv |
| ID | Asset Name | Type | Category | Owner | Custodian | Location | Classification | Criticality | Environment | Description | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| AST-001 | Customer database (prod) | Information | Database | Head of Sales | IT Operations | AWS eu-central-1 | Confidential | High | Production | Primary customer record store (PostgreSQL 15) | Active |
| AST-002 | Logistics portal (SaaS) | Application | SaaS | Head of Ops | Vendor | Vendor cloud | Confidential | High | Production | Customer-facing logistics tracking portal | Active |
| AST-003 | M365 tenant | Service | Cloud | ISO | IT Operations | Microsoft cloud EU | Internal | High | Production | Email collaboration and file storage | Active |
| AST-004 | File server FS-01 | Hardware | Server | IT Operations Lead | IT Operations | HQ Hamburg DC | Confidential | High | Production | On-prem SMB file share | Active |
| AST-005 | Domain controllers DC01 DC02 | Hardware | Server | IT Operations Lead | IT Operations | HQ Hamburg DC | Confidential | Critical | Production | Active Directory domain controllers | Active |
| AST-006 | Laptops (fleet) | Hardware | Endpoint | IT Operations Lead | IT Operations | Distributed | Internal | Medium | Production | 145 managed Windows + macOS laptops | Active |
| AST-007 | ERP system | Application | On-prem | CFO | IT Operations | HQ Hamburg DC | Confidential | High | Production | SAP Business One | Active |
| AST-008 | Backup system Veeam | Application | On-prem | IT Operations Lead | IT Operations | HQ Hamburg DC + offsite | Confidential | Critical | Production | Central backup with offsite replication | Active |
| AST-009 | SIEM (Splunk) | Application | On-prem | ISO | IT Operations | HQ Hamburg DC | Confidential | High | Production | Log aggregation and detection | Active |
| AST-010 | Firewall cluster FW-01/02 | Hardware | Network | IT Operations Lead | IT Operations | HQ Hamburg DC | Confidential | Critical | Production | Perimeter firewall HA pair (Fortinet) | Active |
| AST-011 | VPN gateway | Hardware | Network | IT Operations Lead | IT Operations | HQ Hamburg DC | Confidential | High | Production | Remote access gateway | Active |
| AST-012 | S3 bucket nwl-marketing | Information | Cloud storage | Marketing Lead | IT Operations | AWS eu-central-1 | Internal | Medium | Production | Marketing assets (public-read disabled) | Active |
| AST-013 | CI/CD pipeline (GitLab) | Application | On-prem | Head of Engineering | IT Operations | HQ Hamburg DC | Confidential | High | Production | Source control and build pipeline | Active |
| AST-014 | Mobile phones (fleet) | Hardware | Endpoint | IT Operations Lead | IT Operations | Distributed | Internal | Medium | Production | 38 managed iOS devices | Active |
| AST-015 | HR database (Personio) | Information | SaaS | HR Lead | Vendor | Personio EU | Confidential | High | Production | Employee master data | Active |
| AST-016 | Physical HQ building | Facility | Building | Facilities Lead | Facilities | Hamburg | Internal | High | Production | Main office 1200 sqm + server room | Active |
| AST-017 | Payroll data | Information | File | HR Lead | HR | Personio + local archive | Strictly Confidential | High | Production | Monthly payroll records | Active |
| AST-018 | Contract archive | Information | File | Legal | Legal | M365 SharePoint | Confidential | Medium | Production | Signed contracts | Active |
Sources
- ISO/IEC 27001:2022 Annex A, Control A.5.9 — inventory of information assets
- ISO/IEC 27002:2022 Section 5.9 — implementation guidance for asset inventory
- BSI IT-Grundschutz, Structural Analysis — identification of target objects as the basis for protection requirements analysis