This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.9 Inventory of information and other associated assets
ISO 27001: 2022 Control Description
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Purpose
To identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership.
Guidance on implementation
The organisation should identify its information and other associated assets and determine their importance in terms of information security. Documentation should be maintained in dedicated or existing inventories as appropriate.
The inventory of information and other associated assets should be accurate, up to date, consistent, and aligned with other inventories. Options for ensuring the accuracy of an inventory of information and other associated assets include:
a) Conducting regular reviews of identified information and other associated assets against the asset inventory;
b) Automatically enforcing an inventory update during the process of installing, changing, or removing an asset.
The location of an asset should be included in the inventory where appropriate.
The inventory does not need to be a single list of information and other associated assets. Considering that the inventory should be maintained by the relevant functions, it can be viewed as a set of dynamic inventories, such as inventories for information assets, hardware, software, virtual machines (VMs), facilities, personnel, competence, capabilities, and records.
Each asset should be classified in accordance with the classification of the information associated with that asset.
The granularity of the inventory of information and other associated assets should be at a level appropriate for the needs of the organisation. Sometimes, specific instances of assets in the information life cycle are not feasible to document due to the nature of the asset. An example of a short-lived asset is a VM instance whose life cycle can be of short duration.
Ownership
For the identified information and other associated assets, ownership should be assigned to an individual or a group, and the classification should be identified (see A.5.12, A.5.13). A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organisation. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.
Owner Duties
The asset owner should be responsible for the proper management of an asset throughout its entire life cycle, ensuring that:
a) Information and other associated assets are inventoried;
b) Information and other associated assets are appropriately classified and protected;
c) The classification is reviewed periodically;
d) Components supporting technology assets are listed and linked, such as databases, storage, software components, and sub-components;
e) Requirements for the acceptable use of information and other associated assets (see 5.10) are established;
f) Access restrictions correspond with the classification, are effective, and are reviewed periodically;
g) Information and other associated assets, when deleted or disposed of, are handled securely and removed from the inventory;
h) They are involved in the identification and management of risks associated with their asset(s);
i) They support personnel who have the roles and responsibilities of managing their information.
Other Information
Inventories of information and other associated assets are often necessary to ensure the effective protection of information and may be required for other purposes, such as health and safety, insurance, or financial reasons. Inventories of information and other associated assets also support risk management, audit activities, vulnerability management, incident response, and recovery planning.
Tasks and responsibilities can be delegated (e.g., to a custodian looking after the assets on a daily basis), but the person or group who delegated them remains accountable.
It can be useful to designate groups of information and other associated assets that work together to provide a particular service. In this case, the owner of this service is accountable for the delivery of the service, including the operation of its assets.