Control 5.9, Inventory of Information and Other Associated Assets

ISO 27002:2022 Revised Controls

Book a demo

photo,young,coworkers,crew,working,with,new,startup,project,in

What is Control 5.9 Inventory of Information and Other Associated Assets?

Control 5.9 in the revised ISO 27002:2022 describes how an inventory of information and other associated assets, including owners, should be developed and maintained.

Inventory of Information Assets Explained

In order to carry out its activities, the organisation needs to know what information assets it has at its disposal.

An inventory of information assets (IA) is a list of everything an organisation stores, processes, or transmits. It also includes the location and security controls for each item. The goal is to identify every single piece of data. You can think of it as the financial accounting equivalent for data protection.

An IA can be used to identify gaps in your security programme and inform cyber risk assessments where you may have vulnerabilities that could lead to a breach. It can also be used as evidence during compliance audits that you’ve done due diligence in identifying your sensitive data, which helps you avoid fines and penalties.

The inventory of information assets should also include details of who owns each asset and who manages it. It should also include information about the value of each item in the inventory and how critical it is to the success of the organisation’s business operations.

It is important that inventories are kept up-to-date so that they reflect changes within the organisation.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Why Do I Need an Inventory of Information Assets?

Information asset management has a long history in business continuity planning (BCP), disaster recovery (DR), and incident response planning.

The first step in any of those processes involves identifying critical systems, networks, databases, applications, data flows and other components that need protection. If you do not know what needs protecting or where it resides, then you cannot plan for how to protect it!

Attributes Table

Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.

This table complements work that many customers currently conduct as part of their risk assessment and SOA by identifying the confidentiality, integrity, and availability – and other factors. In control 5.9, the attributes are:

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality #Integrity #Availability#Identify#Asset management#Governance and Ecosystem #Protection

What Is The Purpose of Control 5.9?

The purpose of this control is to identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership.

Control 5.9 covers the control, purpose and implementation guidance for creating an inventory of information and other associated assets in line with the ISMS framework as defined by ISO 27001.

The control requires taking an inventory of all information and other associated assets, classifying them into distinct categories, identifying their owners, and documenting the controls that are or should be in place.

This is a crucial step toward ensuring that all information assets are adequately protected.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

We’re so pleased we found this solution, it made everything fit together more easily.
Emmie Cooney
Operations Manager Amigo
100% of our users pass certification first time
Book your demo

What Is Involved and How to Meet the Requirements

To meet the requirements for the new ISO 27002:2022, you need to identify the information and other associated assets within your organisation. Then you should determine the importance of these items in terms of information security. If appropriate, documentation should be maintained in dedicated or existing inventories.

The approach to developing an inventory will vary depending on an organisation’s size and complexity, its existing controls and policies, and the types of information and other associated assets that it uses.

According to control 5.9, the inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories. Options for ensuring accuracy of an inventory of information and other associated assets include:

a) conducting regular reviews of identified information and other associated assets against the asset inventory;

b) automatically enforcing an inventory update in the process of installing, changing or removing an asset.

The location of an asset should be included in the inventory as appropriate.

Some organisations may need to maintain several inventories for different purposes. For example, some organisations have dedicated inventories for software licences or for physical equipment such as laptops and tablets.

Others may have a single inventory that includes all physical equipment, including network devices such as routers and switches. It is important that any such inventories are regularly reviewed to ensure that they are kept up-to-date so that they can be used to assist with risk management activities.

More information on meeting the requirements for control 5.9 can be found in the new ISO 27002:2022 document.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Differences Between ISO 27002:2013 and ISO 27002:2022

In ISO 27002: 2022, 57 controls from ISO 27002: 2013 were merged into 24 controls. So you will not find control 5.9 as Inventory of Information and Other Associated Assets in the 2013 version. Rather in the 2022 version, it is a combination of control 8.1.1 Inventory of assets and control 8.1.2 Ownership of assets.

The intent of control 8.1.1 Inventory of assets is to ensure that all information assets are identified, documented and regularly reviewed, and appropriate processes and procedures are in place to make sure this inventory is safe.

Control 8.1.2 Ownership of Assets is responsible for ensuring that all information assets under their control are properly identified and owned. Knowing who owns what can help you determine what assets you need to protect, and to whom you need to keep accountable.

While both controls in ISO 27002:2013 are similar to control 5.9 in ISO 27002:2022, the latter has been broadened to allow for a more user-friendly interpretation. For example, the implementation guidance for ownership of assets in control 8.1.2 states that the asset owner should:

a) ensure that assets are inventoried;

b) ensure that assets are appropriately classified and protected;

c) define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;

d) ensure proper handling when the asset is deleted or destroyed.

These 4 points have been expanded into 9 points in the ownership section of control 5.9.

The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:

a) information and other associated assets are inventoried;

b) information and other associated assets are appropriately classified and protected;

c) the classification is reviewed periodically;

d) components supporting technology assets are listed and linked, such as database, storage, software components and sub-components;

e) requirements for the acceptable use of information and other associated assets (see 5.10) are established;

f) access restrictions correspond with the classification and that they are effective and are reviewed periodically;

g) information and other associated assets, when deleted or disposed, are handled in a secure manner and removed from the inventory;

h) they are involved in the identification and management of risks associated with their asset(s);

i) they support personnel who have the roles and responsibilities of managing their information.

Merging these two controls to form one allows for better understanding by the user.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Since migrating we’ve been able to reduce the time spent on administration.
Jodie Korber
Managing Director Lanrex
100% of our users pass certification first time
Book your demo

What Do These Changes Mean For You?

The latest ISO 27002 modifications have no effect on your current certification against ISO 27001 standards. ISO 27001 upgrades are the only ones that have an influence on existing certifications, and accrediting bodies will collaborate with the certifying bodies to develop a transition cycle that will provide organisations having ISO 27001 certificates adequate time to transfer from one version to another.

That said, the following steps are to be followed to meet the revised version:

  • Ensure that your company is in compliance with the new requirement by reviewing your risk register and your risk management practises.
  • SoA should be revised to reflect changes to the Annex A.
  • Your policies and processes should be updated to comply with the new regulations.

New best practises and qualities for control selection will be available during the transition time to the new standard, which will allow for a more effective and efficient selection process.

Because of this, you should continue to employ a risk-based approach to ensure that only the most relevant and effective controls are chosen for your business.

How ISMS.online Helps

You can use ISMS.online to manage your ISO 27002 implementation, as it has been designed specifically to assist a company in implementing their information security management system (ISMS) to meet the requirements of ISO 27002.

The platform uses a risk-based approach combined with industry leading best practices and templates to help you identify the risks faced by your organisation and the controls that are needed to manage those risks. This allows you to systematically reduce both your risk exposure and your compliance costs.

Using ISMS.online you can:

  • Quickly implement an Information Security Management System (ISMS).
  • Easily manage the documentation of your ISMS.
  • Streamline compliance with all relevant standards.
  • Manage all aspects of information security, from risk management to security awareness training.
  • Effectively communicate throughout your organisation using our built-in communication functionality.

The ISMS.online platform is based on Plan-Do-Check-Act (PDCA), an iterative four-step process for continual improvement, and it addresses all the requirements of ISO 27002:2022. It’s a simple matter of creating a free trial account and following the steps we provide.

Get in touch today to book a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.