Control 5.9 in the revised ISO 27002:2022 describes how an inventory of information and other associated assets, including owners, should be developed and maintained.
In order to carry out its activities, the organisation needs to know what information assets it has at its disposal.
An inventory of information assets (IA) is a list of everything an organisation stores, processes, or transmits. It also includes the location and security controls for each item. The goal is to identify every single piece of data. You can think of it as the financial accounting equivalent for data protection.
An IA can be used to identify gaps in your security programme and inform cyber risk assessments where you may have vulnerabilities that could lead to a breach. It can also be used as evidence during compliance audits that you’ve done due diligence in identifying your sensitive data, which helps you avoid fines and penalties.
The inventory of information assets should also include details of who owns each asset and who manages it. It should also include information about the value of each item in the inventory and how critical it is to the success of the organisation’s business operations.
It is important that inventories are kept up-to-date so that they reflect changes within the organisation.
Information asset management has a long history in business continuity planning (BCP), disaster recovery (DR), and incident response planning.
The first step in any of those processes involves identifying critical systems, networks, databases, applications, data flows and other components that need protection. If you do not know what needs protecting or where it resides, then you cannot plan for how to protect it!
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.
This table complements work that many customers currently conduct as part of their risk assessment and SOA by identifying the confidentiality, integrity, and availability – and other factors. In control 5.9, the attributes are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Asset management | #Governance and Ecosystem #Protection |
The purpose of this control is to identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership.
Control 5.9 covers the control, purpose and implementation guidance for creating an inventory of information and other associated assets in line with the ISMS framework as defined by ISO 27001.
The control requires taking an inventory of all information and other associated assets, classifying them into distinct categories, identifying their owners, and documenting the controls that are or should be in place.
This is a crucial step toward ensuring that all information assets are adequately protected.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
We’re so pleased we found this solution, it made everything fit together more easily.
To meet the requirements for the new ISO 27002:2022, you need to identify the information and other associated assets within your organisation. Then you should determine the importance of these items in terms of information security. If appropriate, documentation should be maintained in dedicated or existing inventories.
The approach to developing an inventory will vary depending on an organisation’s size and complexity, its existing controls and policies, and the types of information and other associated assets that it uses.
According to control 5.9, the inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories. Options for ensuring accuracy of an inventory of information and other associated assets include:
a) conducting regular reviews of identified information and other associated assets against the asset inventory;
b) automatically enforcing an inventory update in the process of installing, changing or removing an asset.
The location of an asset should be included in the inventory as appropriate.
Some organisations may need to maintain several inventories for different purposes. For example, some organisations have dedicated inventories for software licences or for physical equipment such as laptops and tablets.
Others may have a single inventory that includes all physical equipment, including network devices such as routers and switches. It is important that any such inventories are regularly reviewed to ensure that they are kept up-to-date so that they can be used to assist with risk management activities.
More information on meeting the requirements for control 5.9 can be found in the new ISO 27002:2022 document.
In ISO 27002: 2022, 57 controls from ISO 27002: 2013 were merged into 24 controls. So you will not find control 5.9 as Inventory of Information and Other Associated Assets in the 2013 version. Rather in the 2022 version, it is a combination of control 8.1.1 Inventory of assets and control 8.1.2 Ownership of assets.
The intent of control 8.1.1 Inventory of assets is to ensure that all information assets are identified, documented and regularly reviewed, and appropriate processes and procedures are in place to make sure this inventory is safe.
Control 8.1.2 Ownership of Assets is responsible for ensuring that all information assets under their control are properly identified and owned. Knowing who owns what can help you determine what assets you need to protect, and to whom you need to keep accountable.
While both controls in ISO 27002:2013 are similar to control 5.9 in ISO 27002:2022, the latter has been broadened to allow for a more user-friendly interpretation. For example, the implementation guidance for ownership of assets in control 8.1.2 states that the asset owner should:
a) ensure that assets are inventoried;
b) ensure that assets are appropriately classified and protected;
c) define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;
d) ensure proper handling when the asset is deleted or destroyed.
These 4 points have been expanded into 9 points in the ownership section of control 5.9.
The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:
a) information and other associated assets are inventoried;
b) information and other associated assets are appropriately classified and protected;
c) the classification is reviewed periodically;
d) components supporting technology assets are listed and linked, such as database, storage, software components and sub-components;
e) requirements for the acceptable use of information and other associated assets (see 5.10) are established;
f) access restrictions correspond with the classification and that they are effective and are reviewed periodically;
g) information and other associated assets, when deleted or disposed, are handled in a secure manner and removed from the inventory;
h) they are involved in the identification and management of risks associated with their asset(s);
i) they support personnel who have the roles and responsibilities of managing their information.
Merging these two controls to form one allows for better understanding by the user.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Since migrating we’ve been able to reduce the time spent on administration.
The latest ISO 27002 modifications have no effect on your current certification against ISO 27001 standards. ISO 27001 upgrades are the only ones that have an influence on existing certifications, and accrediting bodies will collaborate with the certifying bodies to develop a transition cycle that will provide organisations having ISO 27001 certificates adequate time to transfer from one version to another.
That said, the following steps are to be followed to meet the revised version:
New best practises and qualities for control selection will be available during the transition time to the new standard, which will allow for a more effective and efficient selection process.
Because of this, you should continue to employ a risk-based approach to ensure that only the most relevant and effective controls are chosen for your business.
You can use ISMS.online to manage your ISO 27002 implementation, as it has been designed specifically to assist a company in implementing their information security management system (ISMS) to meet the requirements of ISO 27002.
The platform uses a risk-based approach combined with industry leading best practices and templates to help you identify the risks faced by your organisation and the controls that are needed to manage those risks. This allows you to systematically reduce both your risk exposure and your compliance costs.
Using ISMS.online you can:
The ISMS.online platform is based on Plan-Do-Check-Act (PDCA), an iterative four-step process for continual improvement, and it addresses all the requirements of ISO 27002:2022. It’s a simple matter of creating a free trial account and following the steps we provide.
Get in touch today to book a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
