The ISO 27001 asset register: what auditors actually want
ISO 27001:2022 Annex A control 5.9 requires a maintained inventory of information and associated assets. This is the practical interpretation: what fields you need, the classification scheme that holds up under scrutiny, and the evidence pack the certification body will ask for.
If you're working through ISO 27001 certification or recertification, the asset register is one of the foundational artefacts. Almost every other control — access control (5.15), classification (5.12), backup (8.13), secure disposal (7.14), supplier management (5.20) — references it. Get it right and the rest is paperwork; get it wrong and you'll see findings throughout the audit.
What ISO 27001:2022 actually says
Control 5.9 (Inventory of information and other associated assets):
An inventory of information and other associated assets, including owners, should be developed and maintained.
The ISO 27002:2022 implementation guidance expands this. The register should:
- Cover information assets, software, hardware, services, and personnel that hold or process information.
- Be regularly reviewed and updated.
- Identify a named owner per asset.
- Reflect changes throughout the asset lifecycle (acquisition, modification, disposal).
- Be referenced by other controls — risk assessment, classification, access management.
The minimum fields per asset
| Field | Why it matters |
|---|---|
| Asset ID | Stable identifier referenced from risk treatment and other controls |
| Asset name / description | Human-readable, unambiguous |
| Asset type | Information, software, hardware, service, personnel |
| Owner | Named human, not a shared mailbox or "IT" |
| Custodian | Who operates day-to-day (may differ from owner) |
| Classification | Public / Internal / Confidential / Restricted (or your scheme) |
| Location | Physical or logical (region, datacentre, vendor) |
| Lifecycle stage | Procurement / In use / Decommissioning / Retired |
| Linked risks | Reference to entries in the risk register |
| Last reviewed | Date and reviewer |
The classification scheme
You don't have to use ours, but pick something explicit. A defensible four-tier scheme:
| Class | Definition | Examples |
|---|---|---|
| Public | Available externally without harm | Marketing materials, public website content |
| Internal | For employees and contractors only | Internal docs, project plans, org chart |
| Confidential | Sensitive; restricted to need-to-know | Customer data, financial records, employee data |
| Restricted | Highest sensitivity; few authorised parties | Source code with secrets, M&A docs, legal-privileged |
Each classification level should map to handling rules: how it can be transmitted, stored, shared, retained, and destroyed. The classification scheme document is itself audit evidence.
Categories of assets you need to capture
Information assets
Customer databases, employee records, financial data, intellectual property, source code, documentation. Tied to where they live (S3 bucket, Postgres database, Salesforce instance).
Software assets
SaaS subscriptions, licensed software, internally developed applications, libraries, operating systems. Each with version, license, owner.
Hardware assets
Laptops, servers, mobile devices, networking gear. Cross-references the IT asset register that already exists for finance / lifecycle purposes — same data, different audience.
Service assets
Cloud services, third-party processors, payment processors, email providers. Many will overlap with software assets but the lens is different (service availability, supplier risk).
Personnel assets
Roles with privileged access, key knowledge holders, custodians of sensitive data. Doesn't list every employee — just those whose role is itself a control point.
The evidence pack auditors ask for
- The asset register itself, with the fields above populated and last-reviewed dates within policy.
- The classification policy document.
- Sample of risk register entries that reference asset IDs from the register.
- Evidence of periodic review — emails, meeting minutes, version control showing the register has been updated.
- Joiner / mover / leaver evidence linking changes in personnel to asset record updates.
- Disposal evidence — for any retired asset in the period, the disposal certificate and the corresponding register update.
- Asset ownership confirmation — emails or system records showing each owner accepted accountability.
Where the findings come from
The most common ISO 27001 findings against control 5.9 are: (a) the register exists but isn't reviewed; (b) ownership is generic ("IT department" rather than a named person); (c) the register exists but isn't referenced by the risk register or other controls. Fix these three and you'll close most observations.
Practical tips
- One register, multiple views. Don't maintain a separate "ISO register" and "IT register". Use the same data model with views filtered by audience.
- Review cadence: quarterly minimum. Some companies do monthly; rarer is fine if changes are infrequent. Document the policy and stick to it.
- Automate joiner / leaver triggers. Manual updates rot. The register that survives is the one that's updated as a side effect of normal operations — IdP changes, procurement events, hardware shipments.
- Keep ownership current. Every reorg breaks ownership. Build a 90-day check that flags any owner whose role has changed.
- Don't over-engineer the classification scheme. Four levels is plenty. Companies with eight-level schemes find that nobody can remember them and assets get classified inconsistently.
How InventorIA helps
InventorIA's data model maps directly onto the ISO 27001 asset register requirements. Owners are linked to identity records (so they're real people, not mailboxes). Classification fields are configurable. Lifecycle stages are tracked. Every change writes to an audit log. The certification-body export is a one-click download with all the linkage to risk and ownership the auditor will ask for.
An ISO-ready asset register, on day one
InventorIA's data model maps directly onto control 5.9. Free for 10 users.
Start free →