ISO 27001:2022 Annex A Control 5.9

What Is The Purpose of ISO 27001:2022 Annex A Control 5.9?

The control aims to recognise the organisation’s information and associated assets to ensure information security and designate proper ownership.

Annex A of ISO 27001:2022 outlines Control 5.9, which outlines the purpose and implementation guidance to create an inventory of information and other assets in relation to the ISMS framework.

Take an inventory of all info and associated assets, classify into categories, identify owners and document existing/required controls.

This is a vital move to guarantee that all data belongings are adequately safeguarded.

What Is Involved and How to Meet the Requirements

To meet the criteria for ISO 27001:2022, you must identify the information and other associated assets within your organisation. After that, you should assess the significance of these items with respect to information security. If necessary, keep records in dedicated or existing inventories.

The size and complexity of an organisation, existing controls and policies, and the types of information and assets it uses will all have an effect on the development of an inventory.

Ensuring that the inventory of information and other associated assets is accurate, up-to-date, consistent and in-line with other inventories is key, as per Control 5.9. To guarantee accuracy, one can consider the following:

• Carry out systematic appraisals of listed info and related assets in accordance with the asset catalogue.
• During the process of installing, changing, or removing an asset, an inventory update will be automatically enforced.
• Include the whereabouts of an asset in the inventory if necessary.

Some organisations may need to keep multiple inventories for varying purposes. For instance, they may have specialised inventories for software licenses or physical devices such as laptops and tablets.

It is essential to periodically inspect all physical inventory which includes network devices such as routers and switches in order to maintain the accuracy of the inventory for risk management purposes.

For more information on fulfilling control 5.9, the ISO 27001:2022 document should be consulted.

Differences Between ISO 27001:2013 and ISO 27001:2022

In ISO 27001:2022, 58 controls from ISO 27001:2013 have been revised and a further 24 controls have been amalgamated. A new 11 controls have been added, while some deleted.

Therefore, you won’t find Annex A Control 5.9 – Inventory of Information and Other Associated Assets – in the 2013 version, as it is now a combination of ISO 27001:2013 Annex A 8.1.1 – Inventory of Assets – and ISO 27001:2013 Annex A 8.1.2 – Ownership of Assets – in the 2022 version.

Annex A of ISO 27001:2022 outlines Control 8.1.2, Ownership of Assets. This ensures all information assets are clearly identified and owned. Knowing who owns what aids in establishing which assets need protecting and who requires accountability.

ISO 27001:2013 and ISO 27001:2022 both have similar controls, however, Annex A Control 5.9 of the latter has been expanded to provide a more straightforward interpretation. For example, the implementation guidance on asset ownership in control 8.1.2 dictates the asset owner should:

• Ensure that all assets are accurately recorded in the inventory.
• Ensure that assets are classified and safeguarded suitably.
• Periodically review and define access restrictions and classifications for key assets, taking into account applicable access control policies.
• Ensure appropriate action is taken when the asset is disposed of or destroyed.

The ownership section of control 5.9 has been extended to include nine points, instead of the original four. Corrections have been made to spelling and grammar, and the tone has been changed to a professional, friendly style. Redundancy and repetition have been eliminated and the writing is now in an active style.

The asset owner should assume accountability for the suitable oversight of an asset throughout its life cycle, making sure that:

• All data and related resources are listed and documented.
• Ensure that all data, related assets, and other related resources are accurately classified and safeguarded.
• The classification is reviewed regularly to ensure its accuracy.
• Components that sustain technology assets are recorded and interrelated, including databases, storage, software components and sub-components.
• Requirements for the acceptable use of information and other associated assets are set out in 5.10.
• Access restrictions correspond with the classification and prove effective, reviewed periodically to ensure continual protection.
• Information and other associated assets are securely handled when deleted or disposed of, and removed from the inventory.
• They are responsible for identifying and handling the risks connected to their asset(s).
• They provide support to personnel who manage their information, taking on the roles and responsibilities associated with it.

Merging these two controls into one facilitates user understanding.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Do These Changes Mean For You?

The latest ISO 27001 changes do not affect your current certification against ISO 27001 standards. Only upgrades to ISO 27001 can have an effect on existing certifications. Accrediting bodies will work with the certifying bodies to devise a transition period that gives organisations with ISO 27001 certificates enough time to move from one version to the next.

These steps must be taken to meet the revised version:

• Ensure your business is meeting the latest regulation by examining the risk register and risk management procedures.
• The Annex A should be amended to reflect any alterations to the Statement of Applicability.
• Ensure your policies and procedures are up to date to abide by the fresh regulations.

During the transition to the new standard, we’ll have access to new best practices and qualities for control selection, enabling a more effective and efficient selection process.

You ought to persist with a risk-based method to guarantee only the most pertinent and efficient controls are selected for your enterprise.

How ISMS.online Helps

ISMS.online is ideal for implementing your ISO 27001 Information Security Management System. It’s been specifically designed to help companies meet the requirements of the standard.

The platform applies a risk-oriented method in conjunction with leading industry best practices and templates to help you ascertain the risks your organisation faces and the controls required to manage them. This enables you to systematically reduce both your risk exposure and compliance costs.

ISMS.online enables you to:

1. Develop an Information Security Management System (ISMS).
2. Construct a tailored set of policies and procedures.
3. Implement an ISMS to meet ISO 27001 standards.
4. Receive assistance from experienced consultants.

You can take advantage of ISMS.online to build an ISMS, create a customised set of policies and processes, adhere to ISO 27001 criteria, and get help from experienced advisers.

The ISMS.online platform is based upon Plan-Do-Check-Act (PDCA), an iterative four-stage procedure for continual enhancement, which meets all the demands of ISO 27001:2022. It’s straightforward. Contact us now to arrange your demonstration.