ISO 27001:2022 Annex A Control 5.9

Inventory of Information and Other Associated Assets

Book a demo

business,team,busy,working,talking,concept

ISO 27001:2022 Annex A Control 5.9 is named Inventory of Information and Other Associated Assets.

It requires organisations to identify and document the assets important to their operations and the associated risks, and take steps to protect them. This ensures assets are managed and monitored appropriately, helping to ensure they are secure.

Annex A of ISO 27001:2022 outlines Control 5.9, which explains how a list of information and related assets, along with their respective owners, must be created and kept up to date.

Inventory of Information Assets Explained

The organisation must acknowledge what it has access to in order to conduct its operations. It must be aware of its information assets.

A comprehensive IA is a crucial part of any organisation’s data security policy. It is an inventory of every item of data that is stored, processed, or transmitted, as well as the locations and security controls for each. It is essentially the financial accounting equivalent of data protection, allowing organisations to identify each piece of data.

An IA can be used to identify weaknesses in your security programme and provide info to assess cyber risks that might lead to a breach. It can also be evidence to demonstrate you have taken steps to identify sensitive data during compliance audits, which helps you evade fines and punishments.

The inventory of information assets should specify who owns and is responsible for each asset, as well as the value and importance of each item to the organisation’s operations.

It is crucial to maintain inventories current to ensure they accurately reflect changes within the organisation.

Why Do I Need an Inventory of Information Assets?

Information asset management has a long tradition in business continuity planning (BCP), disaster recovery (DR), and incident response preparation.

Identifying critical systems, networks, databases, applications, data flows and other components that require security is the first step in any of these processes. Without knowledge of what needs to be protected, and where it’s located, you can’t plan for how to protect it.

What Is The Purpose of ISO 27001:2022 Annex A Control 5.9?

The control aims to recognise the organisation’s information and associated assets to ensure information security and designate proper ownership.

Annex A of ISO 27001:2022 outlines Control 5.9, which outlines the purpose and implementation guidance to create an inventory of information and other assets in relation to the ISMS framework.

Take an inventory of all info and associated assets, classify into categories, identify owners and document existing/required controls.

This is a vital move to guarantee that all data belongings are adequately safeguarded.

What Is Involved and How to Meet the Requirements

To meet the criteria for ISO 27001:2022, you must identify the information and other associated assets within your organisation. After that, you should assess the significance of these items with respect to information security. If necessary, keep records in dedicated or existing inventories.

The size and complexity of an organisation, existing controls and policies, and the types of information and assets it uses will all have an effect on the development of an inventory.

Ensuring that the inventory of information and other associated assets is accurate, up-to-date, consistent and in-line with other inventories is key, as per Control 5.9. To guarantee accuracy, one can consider the following:

  • Carry out systematic appraisals of listed info and related assets in accordance with the asset catalogue.
  • During the process of installing, changing, or removing an asset, an inventory update will be automatically enforced.
  • Include the whereabouts of an asset in the inventory if necessary.

Some organisations may need to keep multiple inventories for varying purposes. For instance, they may have specialised inventories for software licenses or physical devices such as laptops and tablets.

It is essential to periodically inspect all physical inventory which includes network devices such as routers and switches in order to maintain the accuracy of the inventory for risk management purposes.

For more information on fulfilling control 5.9, the ISO 27001:2022 document should be consulted.

Differences Between ISO 27001:2013 and ISO 27001:2022

In ISO 27001:2022, 58 controls from ISO 27001:2013 have been revised and a further 24 controls have been amalgamated. A new 11 controls have been added, while some deleted.

Therefore, you won’t find Annex A Control 5.9 – Inventory of Information and Other Associated Assets – in the 2013 version, as it is now a combination of ISO 27001:2013 Annex A 8.1.1 – Inventory of Assets – and ISO 27001:2013 Annex A 8.1.2 – Ownership of Assets – in the 2022 version.

Annex A of ISO 27001:2022 outlines Control 8.1.2, Ownership of Assets. This ensures all information assets are clearly identified and owned. Knowing who owns what aids in establishing which assets need protecting and who requires accountability.

ISO 27001:2013 and ISO 27001:2022 both have similar controls, however, Annex A Control 5.9 of the latter has been expanded to provide a more straightforward interpretation. For example, the implementation guidance on asset ownership in control 8.1.2 dictates the asset owner should:

  • Ensure that all assets are accurately recorded in the inventory.
  • Ensure that assets are classified and safeguarded suitably.
  • Periodically review and define access restrictions and classifications for key assets, taking into account applicable access control policies.
  • Ensure appropriate action is taken when the asset is disposed of or destroyed.

The ownership section of control 5.9 has been extended to include nine points, instead of the original four. Corrections have been made to spelling and grammar, and the tone has been changed to a professional, friendly style. Redundancy and repetition have been eliminated and the writing is now in an active style.

The asset owner should assume accountability for the suitable oversight of an asset throughout its life cycle, making sure that:

  • All data and related resources are listed and documented.
  • Ensure that all data, related assets, and other related resources are accurately classified and safeguarded.
  • The classification is reviewed regularly to ensure its accuracy.
  • Components that sustain technology assets are recorded and interrelated, including databases, storage, software components and sub-components.
  • Requirements for the acceptable use of information and other associated assets are set out in 5.10.
  • Access restrictions correspond with the classification and prove effective, reviewed periodically to ensure continual protection.
  • Information and other associated assets are securely handled when deleted or disposed of, and removed from the inventory.
  • They are responsible for identifying and handling the risks connected to their asset(s).
  • They provide support to personnel who manage their information, taking on the roles and responsibilities associated with it.

Merging these two controls into one facilitates user understanding.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

What Do These Changes Mean For You?

The latest ISO 27001 changes do not affect your current certification against ISO 27001 standards. Only upgrades to ISO 27001 can have an effect on existing certifications. Accrediting bodies will work with the certifying bodies to devise a transition period that gives organisations with ISO 27001 certificates enough time to move from one version to the next.

These steps must be taken to meet the revised version:

  • Ensure your business is meeting the latest regulation by examining the risk register and risk management procedures.
  • The Annex A should be amended to reflect any alterations to the Statement of Applicability.
  • Ensure your policies and procedures are up to date to abide by the fresh regulations.

During the transition to the new standard, we’ll have access to new best practices and qualities for control selection, enabling a more effective and efficient selection process.

You ought to persist with a risk-based method to guarantee only the most pertinent and efficient controls are selected for your enterprise.

How ISMS.online Helps

ISMS.online is ideal for implementing your ISO 27001 Information Security Management System. It’s been specifically designed to help companies meet the requirements of the standard.

The platform applies a risk-oriented method in conjunction with leading industry best practices and templates to help you ascertain the risks your organisation faces and the controls required to manage them. This enables you to systematically reduce both your risk exposure and compliance costs.

ISMS.online enables you to:

  1. Develop an Information Security Management System (ISMS).
  2. Construct a tailored set of policies and procedures.
  3. Implement an ISMS to meet ISO 27001 standards.
  4. Receive assistance from experienced consultants.

You can take advantage of ISMS.online to build an ISMS, create a customised set of policies and processes, adhere to ISO 27001 criteria, and get help from experienced advisers.

The ISMS.online platform is based upon Plan-Do-Check-Act (PDCA), an iterative four-stage procedure for continual enhancement, which meets all the demands of ISO 27001:2022. It’s straightforward. Contact us now to arrange your demonstration.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.