Asset management has always been the bedrock of a solid Information Security Management System (ISMS). After all, you cannot protect what you don’t know you have. However, as our work environments have shifted from physical filing cabinets to complex cloud infrastructures and virtual machines, the standard had to evolve. This evolution is most evident in the transition from the 2013 version to the 2022 update of ISO 27001, specifically regarding Annex A 5.6 (formerly part of the A.8 group).
If you are navigating the move to the 2022 standard, Annex A 5.9, “Inventory of information and other associated assets,” is a control you need to understand deeply. It isn’t just a renumbering; it’s a refocusing of how we track the things that matter most to our security.
Table of contents
The Structural Shift: From A.8.1.1 to A.5.9
In the ISO 27001:2013 version, asset inventory was handled under control A.8.1.1, titled simply “Inventory of assets.” In the 2022 revision, this has been merged and reclassified as Annex A 5.9. This isn’t just a cosmetic change. The 2022 version consolidates the old A.8.1.1 (Inventory) and A.8.1.2 (Ownership of assets) into a single, more cohesive control.
The new numbering places this control under the “Organisational” theme. This reflects a broader understanding that managing assets isn’t just a technical IT task—it’s a core business process that requires organisational oversight and clear lines of accountability.
Beyond Hardware: A Focus on Information
One of the most significant changes in the 2022 version is the terminology. The shift from “Inventory of assets” to “Inventory of information and other associated assets” is subtle but powerful.
In 2013, many organisations fell into the trap of only listing physical items—laptops, servers, and routers. The 2022 standard makes it crystal clear that the information itself is the primary asset. The “associated assets” are the hardware, software, services, and even people that handle that information. According to HighTable.io, this means your inventory needs to acknowledge the link between the data (like customer PII) and its container (like an AWS S3 bucket or a physical backup drive).
The “Ownership” Evolution
While ownership was its own control in 2013 (A.8.1.2), its integration into A.5.9 in the 2022 version brings more rigorous requirements. It is no longer enough to list “IT Department” as an owner. The 2022 standard pushes for individuals or specific roles to be accountable for the entire lifecycle of an asset—from its creation and classification to its eventual secure disposal.
Modern audits now look for “owner-attestation.” This means auditors want to see evidence that owners are regularly reviewing their assets and confirming that the details in the inventory are still accurate. If you have an orphaned asset with no clear owner, it’s a major red flag under the new standard.
Embracing the Virtual and the Dynamic
The 2022 update finally catches up with the reality of virtualisation and the cloud. In the 2013 era, virtual machines (VMs) were often overlooked in inventories because they weren’t “physical.” Annex A 5.9 explicitly expects virtual assets, cloud instances, and software licenses to be documented.
Furthermore, the 2022 version acknowledges that a static Excel spreadsheet saved once a year is no longer sufficient. As highlighted by HighTable.io, the inventory is expected to be a “living” document. This means integrating your inventory updates into your Joiners, Movers, and Leavers (JML) processes and your change management workflows. If a server is decommissioned or a database is migrated, the inventory should reflect that change almost immediately.
Implementation: What You Need to Do Differently
If you are transitioning from the 2013 version, your implementation strategy for Annex A 5.9 should focus on three main areas:
- Map Information to Assets: Don’t just list a laptop; list the types of sensitive information that laptop is authorised to access.
- Automate Discovery: For larger organisations, manual entry is the enemy of accuracy. Use MDM (Mobile Device Management) or cloud discovery tools to keep your “associated assets” list current.
- Define Clear Ownership: Assign every asset to a person who has the authority to make decisions about its security and risk.
The move to ISO 27001:2022 Annex A 5.9 represents a shift toward a more mature, risk-based approach to security. It moves us away from simply counting boxes and toward a comprehensive map of our information landscape. While it requires more effort to maintain, the result is a much more resilient organisation that truly understands what it is protecting.