ISO 27001 Annex A Control 5.9

ISO 27001 control 5.9 Inventory of information

The basics

ISO 27001 control A.5.9 Inventory of information and other associated assets requires companies to develop a list of their assets and define owners of those assets. This way a company can define more precisely who is in charge of what and what kind of security is needed for different types of assets.

Documentation

ISO 27001 control A.5.9 Inventory of information and other associated assets can be documented:

These documents are not mandatory but are recommended.

Other documents that could mention control A.5.9 are as follows:

Implementation

In order to comply with control A.5.9 Inventory of information and other associated assets you might implement the following:

  • Technology — the technology to enable the inventory of information and associated assets may vary from simple electronic spreadsheets for small companies to complex inventory management systems for bigger companies.
  • Organization/processes — you should set up a process for defining who is responsible for inventorying information and assets, the inventory schema to be used, and how inventory information is going to be kept up to date. You can document those processes through Information Classification Policy or Security Procedures for IT Department.
  • People — make employees aware of why keeping an inventory of assets is needed, and train asset owners on how to fill it in and keep it updated.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.9 Inventory of information and other associated assets: if a list of assets and their owners is defined.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.