The Control Room – ISO 27001 Control Spotlight: 5.9 – Inventory of Information and Other Associated Assets

You can’t protect what you don’t know you have.

It sounds obvious, but ISO 27001 Control 5.9 – Inventory of Information and Other Associated Assets exists because many organisations are still operating with a surprisingly fuzzy understanding of their own environment. Critical information lives in shared drives no one monitors, old laptops are floating around unaccounted for, SaaS tools have been adopted without oversight, and sensitive data is tucked away in systems the security team didn’t even know existed.

That’s not an asset management strategy. That’s digital hide-and-seek.

ISO 27001 Control 5.9 is about making sure your organisation knows what information and assets it has, who owns them, and why they matter. Because before you can assess risk, apply controls, or respond to an incident, you need a clear view of what is actually in scope.

And no, “it’s probably in SharePoint somewhere” does not count.

Intent of the Control

The purpose of Control 5.9 is to ensure that information and other associated assets are identified and an inventory is developed and maintained.

In plain English: make a proper list of the things that matter.

That includes more than just hardware. An effective asset inventory may include:

• information and data sets
• software and applications
• cloud services and platforms
• physical devices
• virtual assets
• systems and infrastructure
• key documentation
• services provided by third parties

The control is not just asking for a spreadsheet full of serial numbers. It is asking for a maintained, meaningful inventory that supports security, accountability and risk management. Think of it as the map before the journey. Without it, you are wandering around your own estate with a blindfold on.

Why It Matters

Asset inventories are foundational to good security. If you do not know what systems you have, what data they hold, who owns them, or how important they are, then your controls are based on guesswork. That makes it much easier for risky assets to slip through the cracks.

Without a good inventory, organisations risk:

• missing critical systems from scope
• failing to apply security controls consistently
• leaving unsupported or forgotten assets exposed
• overlooking shadow IT and unmanaged SaaS tools
• struggling to respond effectively to incidents
• creating confusion around ownership and accountability

This control matters because every other part of your ISMS depends on it. Risk assessments, access control, supplier reviews, backup decisions, incident response and business continuity all rely on knowing what exists in the first place.

An inaccurate asset inventory is like trying to lock the doors in a building when no one knows how many doors there are.

What Good Looks Like

A strong asset inventory does not need to be beautiful. It does need to be current, usable and owned. High-maturity organisations typically have:

1. A clear definition of what counts as an asset. Not just laptops and servers. Information, software, cloud services, critical documents and third-party systems should all be considered where relevant.
2. Ownership assigned. Every important asset has someone accountable for it. Not “the business” or “IT” in general. A real person.
3. Classification and context. Assets are not just listed; they are understood. What information do they hold? How sensitive is it? How important is it to operations?
4. Regular review. The inventory is updated when things change and reviewed at planned intervals. It is a living record, not a historical artefact.
5. Linkage to the wider ISMS. The inventory supports other controls, including risk assessments, access controls, backup plans, supplier oversight and incident response.

Good asset management is not about obsessing over admin. It is about creating enough visibility that the rest of your security program can function properly.

Common Pitfalls

Like many ISO controls, 5.9 can look “done” without actually being useful. Common mistakes include:

• treating the asset register as an IT hardware list only
• forgetting information assets entirely
• failing to assign ownership
• never reviewing or updating the inventory
• excluding cloud platforms and SaaS applications
• letting shadow IT grow without oversight
• keeping inventories in static documents no one touches

One of the biggest traps is assuming asset management is a one-time exercise. It is not. Businesses change too quickly for that. New tools get introduced. Old systems linger. Data moves. People leave. Vendors multiply. If the inventory stands still, your risk picture is already out of date.

How de.iterate Helps

At de.iterate, we help organisations turn asset management into a practical, auditable part of their management system. Our platform supports you to:

• maintain a live asset register in one place
• assign owners and responsibilities clearly
• classify assets and document their relevance
• connect assets to risks, suppliers and supporting evidence
• schedule reviews through assurance tasks and compliance calendars
• demonstrate to auditors that asset management is current and embedded

Instead of asset information living in old spreadsheets, forgotten documents or somebody’s head, it becomes part of the system that supports the rest of your compliance program.

Because asset inventories should not be archaeological digs. They should be useful.

Stay Tuned

Each month, The Control Room will continue unpacking ISO 27001, one control at a time. Whether you’re building an ISMS from scratch or levelling up your current controls, we’re here to help you understand what “good” really looks like, without the jargon.