- See ISO 27002:2022 Control 5.9 for more information.
- See ISO 27001:2013 Annex A 8.1.1 for more information.
- See ISO 27001:2013 Annex A 8.1.2 for more information.
ISO 27001 Annex A 5.9: A Guide to Managing Information Asset Inventories
ISO 27001:2022 Annex A Control 5.9 is named Inventory of Information and Other Associated Assets.
It requires organisations to identify and document the assets important to their operations and the associated risks, and take steps to protect them. This ensures assets are managed and monitored appropriately, helping to ensure they are secure.
Annex A of ISO 27001:2022 outlines Control 5.9, which explains how a list of information and related assets, along with their respective owners, must be created and kept up to date.
Inventory of Information Assets Explained
The organisation must acknowledge what it has access to in order to conduct its operations. It must be aware of its information assets.
A comprehensive IA is a crucial part of any organisation’s data security policy. It is an inventory of every item of data that is stored, processed, or transmitted, as well as the locations and security controls for each. It is essentially the financial accounting equivalent of data protection, allowing organisations to identify each piece of data.
An IA can be used to identify weaknesses in your security programme and provide info to assess cyber risks that might lead to a breach. It can also be evidence to demonstrate you have taken steps to identify sensitive data during compliance audits, which helps you evade fines and punishments.
The inventory of information assets should specify who owns and is responsible for each asset, as well as the value and importance of each item to the organisation’s operations.
It is crucial to maintain inventories current to ensure they accurately reflect changes within the organisation.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Why Do I Need an Inventory of Information Assets?
Information asset management has a long tradition in business continuity planning (BCP), disaster recovery (DR), and incident response preparation.
Identifying critical systems, networks, databases, applications, data flows and other components that require security is the first step in any of these processes. Without knowledge of what needs to be protected, and where it’s located, you can’t plan for how to protect it.
What Is The Purpose of ISO 27001:2022 Annex A Control 5.9?
The control aims to recognise the organisation’s information and associated assets to ensure information security and designate proper ownership.
Annex A of ISO 27001:2022 outlines Control 5.9, which outlines the purpose and implementation guidance to create an inventory of information and other assets in relation to the ISMS framework.
Take an inventory of all info and associated assets, classify into categories, identify owners and document existing/required controls.
This is a vital move to guarantee that all data belongings are adequately safeguarded.
What Is Involved and How to Meet the Requirements
To meet the criteria for ISO 27001:2022, you must identify the information and other associated assets within your organisation. After that, you should assess the significance of these items with respect to information security. If necessary, keep records in dedicated or existing inventories.
The size and complexity of an organisation, existing controls and policies, and the types of information and assets it uses will all have an effect on the development of an inventory.
Ensuring that the inventory of information and other associated assets is accurate, up-to-date, consistent and in-line with other inventories is key, as per Control 5.9. To guarantee accuracy, one can consider the following:
- Carry out systematic appraisals of listed info and related assets in accordance with the asset catalogue.
- During the process of installing, changing, or removing an asset, an inventory update will be automatically enforced.
- Include the whereabouts of an asset in the inventory if necessary.
Some organisations may need to keep multiple inventories for varying purposes. For instance, they may have specialised inventories for software licenses or physical devices such as laptops and tablets.
It is essential to periodically inspect all physical inventory which includes network devices such as routers and switches in order to maintain the accuracy of the inventory for risk management purposes.
For more information on fulfilling control 5.9, the ISO 27001:2022 document should be consulted.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Differences Between ISO 27001:2013 and ISO 27001:2022
In ISO 27001:2022, 58 controls from ISO 27001:2013 have been revised and a further 24 controls have been amalgamated. A new 11 controls have been added, while some deleted.
Therefore, you won’t find Annex A Control 5.9 – Inventory of Information and Other Associated Assets – in the 2013 version, as it is now a combination of ISO 27001:2013 Annex A 8.1.1 – Inventory of Assets – and ISO 27001:2013 Annex A 8.1.2 – Ownership of Assets – in the 2022 version.
Annex A of ISO 27001:2022 outlines Control 8.1.2, Ownership of Assets. This ensures all information assets are clearly identified and owned. Knowing who owns what aids in establishing which assets need protecting and who requires accountability.
ISO 27001:2013 and ISO 27001:2022 both have similar controls, however, Annex A Control 5.9 of the latter has been expanded to provide a more straightforward interpretation. For example, the implementation guidance on asset ownership in control 8.1.2 dictates the asset owner should:
- Ensure that all assets are accurately recorded in the inventory.
- Ensure that assets are classified and safeguarded suitably.
- Periodically review and define access restrictions and classifications for key assets, taking into account applicable access control policies.
- Ensure appropriate action is taken when the asset is disposed of or destroyed.
The ownership section of control 5.9 has been extended to include nine points, instead of the original four. Corrections have been made to spelling and grammar, and the tone has been changed to a professional, friendly style. Redundancy and repetition have been eliminated and the writing is now in an active style.
The asset owner should assume accountability for the suitable oversight of an asset throughout its life cycle, making sure that:
- All data and related resources are listed and documented.
- Ensure that all data, related assets, and other related resources are accurately classified and safeguarded.
- The classification is reviewed regularly to ensure its accuracy.
- Components that sustain technology assets are recorded and interrelated, including databases, storage, software components and sub-components.
- Requirements for the acceptable use of information and other associated assets are set out in 5.10.
- Access restrictions correspond with the classification and prove effective, reviewed periodically to ensure continual protection.
- Information and other associated assets are securely handled when deleted or disposed of, and removed from the inventory.
- They are responsible for identifying and handling the risks connected to their asset(s).
- They provide support to personnel who manage their information, taking on the roles and responsibilities associated with it.
Merging these two controls into one facilitates user understanding.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
What Do These Changes Mean For You?
The latest ISO 27001 changes do not affect your current certification against ISO 27001 standards. Only upgrades to ISO 27001 can have an effect on existing certifications. Accrediting bodies will work with the certifying bodies to devise a transition period that gives organisations with ISO 27001 certificates enough time to move from one version to the next.
These steps must be taken to meet the revised version:
- Ensure your business is meeting the latest regulation by examining the risk register and risk management procedures.
- The Annex A should be amended to reflect any alterations to the Statement of Applicability.
- Ensure your policies and procedures are up to date to abide by the fresh regulations.
During the transition to the new standard, we’ll have access to new best practices and qualities for control selection, enabling a more effective and efficient selection process.
You ought to persist with a risk-based method to guarantee only the most pertinent and efficient controls are selected for your enterprise.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How ISMS.online Helps
ISMS.online is ideal for implementing your ISO 27001 Information Security Management System. It’s been specifically designed to help companies meet the requirements of the standard.
The platform applies a risk-oriented method in conjunction with leading industry best practices and templates to help you ascertain the risks your organisation faces and the controls required to manage them. This enables you to systematically reduce both your risk exposure and compliance costs.
ISMS.online enables you to:
- Develop an Information Security Management System (ISMS).
- Construct a tailored set of policies and procedures.
- Implement an ISMS to meet ISO 27001 standards.
- Receive assistance from experienced consultants.
You can take advantage of ISMS.online to build an ISMS, create a customised set of policies and processes, adhere to ISO 27001 criteria, and get help from experienced advisers.
The ISMS.online platform is based upon Plan-Do-Check-Act (PDCA), an iterative four-stage procedure for continual enhancement, which meets all the demands of ISO 27001:2022. It’s straightforward. Contact us now to arrange your demonstration.
