What is ISO 27001 Annex A 5.9?

The bottom line is that you must identify and document all information assets. This includes software, hardware, and services. You must assign an owner to every item. Document this inventory in native tools like SharePoint for audit visibility.

How does an asset inventory improve security?

An inventory ensures you know what needs protection. It prevents shadow IT and unmanaged risks. Clear ownership in Jira allows for accountability during incidents. Documenting assets manually proves that management understands the business data flow.

Why avoid SaaS for asset inventories?

Black box SaaS tools often collect data without business context. Auditors prefer seeing manual classification in native repositories. This proves human oversight of asset sensitivity. Integrated tools keep security data close to daily operations.

ISO 27001 Annex A 5.9: Inventory of Assets Implementation Guide

What is Annex A 5.9 in ISO 27001?

Annex A 5.9 is a documented process for identifying and managing assets. You must record information, software, hardware, and services. This process integrates into native tools like SharePoint. It ensures clear ownership and accountability. Effective management requires manual classification within your standard business workflows.

Auditor’s Eye: The Shortcut Trap

Many firms use automated SaaS discovery tools for asset management. These tools produce long lists of IP addresses. They lack business context and human classification. Auditors find these inventories insufficient for compliance. We prefer seeing assets in a SharePoint list with manual classification. This proves management understands asset value. Relying on a “black box” automated list indicates a lack of ownership. True compliance requires evidence in native repositories.

Feature	ISO 27001:2013 (A.8.1.1)	ISO 27001:2022 (A.5.9)
Title	Inventory of assets	Inventory of information and associated assets
Scope	Physical and virtual assets.	Includes information and cloud services.
Requirement	Identify assets.	Maintain a documented inventory.

How to Implement Annex A 5.9 (Step-by-Step)

Identify every information asset and its owner. You must document this inventory in your native business tools. This creates a cultural habit of asset oversight. Do not rely on software discovery alone. Follow these steps for an auditor-ready approach.

Step 1: Inventory Compilation in SharePoint

Create a SharePoint list for your asset inventory. Include columns for asset name, type, and location. Record the sensitivity level for every entry. This centralises asset data where staff can see it. Active voice: The organisation documents all critical data sources.

Step 2: Ownership Assignment via Jira

Assign every asset to a named individual. Use Jira to track the acceptance of ownership duties. Asset owners must verify their inventories annually. This proves accountability to the certification auditor. It ensures assets remain protected throughout their lifecycle.

Step 3: Establish Classification in Confluence

Document your classification rules in a Confluence wiki. Define what makes an asset confidential or public. Link these rules to the SharePoint inventory. This provides the “why” behind your security controls. It demonstrates human intent and procedural maturity.

Annex A 5.9 Audit Evidence Checklist

Asset Inventory in SharePoint with full version history.
Classification policy documented in Confluence.
Minutes from management reviews confirming asset accuracy.
Manual sign-off records from assigned asset owners.
Disposal logs for old hardware or deleted data.

Relational Mapping

Annex A 5.9 is the foundation for Annex A 5.12. Classification relies on accurate inventory data. It also supports Annex A 5.10 Acceptable Use. Without an inventory, you cannot enforce usage rules. Furthermore, it drives the risk assessment in Clause 6.1.2. Auditors check the link between assets and risks.

Auditor Interview: Direct Asset Management

Question: How do you identify new information assets?

Answer: We record new assets in SharePoint during project initiation.

Question: Who is responsible for the accuracy of the hardware list?

Answer: The IT Lead verifies the Jira hardware log monthly.

Question: Is your inventory fully automated by a third party?

Answer: No. We manually classify assets to ensure business context.

Common Non-Conformities

Failure Mode	Cause	Auditor Finding
Automated Complacency	Relying on SaaS discovery without manual review.	Major NC: No evidence of business context.
Ownerless Assets	Assigning ownership to “The Department.”	Minor NC: Accountability is not individual.
Stale Inventory	Inventory has not changed in three years.	Minor NC: Failure to maintain current records.

Frequently Asked Questions

What is the bottom line for Annex A 5.9?

The bottom line is that you must know your assets. Identify information, software, and hardware. Document these in internal tools like SharePoint. Assign an owner to every asset. This proves management oversight and supports risk assessment.

Should I include cloud services in the inventory?

Yes. Cloud services are associated assets. You must document them in your SharePoint list. Assign an owner to manage the cloud relationship. This prevents unmanaged data silos. It ensures the ISMS covers all information processing.

How often should owners verify their assets?

Verify your asset inventory at least annually. Use Jira tickets to prompt owner reviews. Document the completion of these reviews in SharePoint. This provides an audit trail of active management. It shows the system is living and accurate.

LA CASA DE CERTIFICACIÓN