ISO 27001 Annex A 5.9 – Inventory Of Information And Other Associated Assets

ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets

ISO 27001 Annex A 5.9 is about making a list of a company’s information and other important items. This list is a key part of keeping data safe. The rule says that a list of information and other assets, along with their owners, must be made and kept up to date.

Table of contents

What is ISO 27001 Annex A 5.9?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Inventory Of Information And Other Associated Assets”.

What is the ISO 27001 Annex A 5.9 control objective?

The formal definition and control objective in the standard is: “An inventory of information and other associated assets, including owners, should be developed and maintained.

What is the purpose of ISO 27001 Annex A 5.9?

The purpose of ISO 27001 Annex A 5.9 is “to ensure you identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.

Is ISO 27001 Annex A 5.9 Mandatory?

ISO 27001 Annex A control 5.9 (Inventory Of Information And Other Associated Assets in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.9 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Why Is This Important?

You cannot protect what you do not know you have. This rule helps a company:

  • Know what it has.
  • Figure out what risks those items face.
  • Make sure the right people are in charge of them.

This helps a company stay safe and meet legal rules.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. Here are some important steps:

  1. Make a list: List all of your company’s important information and other items. This includes things like computers, data, and software.
  2. Assign an owner: Give each item an owner. The owner is the person or group in charge of that item.
  3. Keep it updated: Make sure the list is always correct. Update it when you add, change, or get rid of an item.
  4. Protect assets: Put safety rules in place based on how important each item is.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will look for:

  • An auditor will check if you have an asset list.
  • They will also check if you have given each item an owner.
  • The auditor will look for proof that you are keeping the list up to date and that you are protecting your items.

Related Posts