What Is an Information Asset Register?

An information asset register (IAR) is a catalogue of the data and information an organisation holds - databases, records, files, contracts, archives - recording what each asset is, where it lives, who owns it, how sensitive it is, and how long it must be kept. Where a conventional register answers “what equipment do we have”, the IAR answers the harder question security and privacy work depends on: “what information do we have, and who is accountable for it”.

What to record for each information asset

A workable register stays at the level of meaningful collections of information, not individual files. For each entry, the fields that earn their place:

• Name and description - “customer database”, “HR personnel files”, “signed supplier contracts”.
• Owner - the person accountable for its protection and lifecycle, not the IT team that hosts it.
• Format and location - which system, share, cloud service, or filing cabinet holds it, including copies and backups.
• Classification - public, internal, confidential, or whatever scheme the organisation uses.
• Personal data flag - whether it contains personal data, which pulls it into GDPR scope.
• Retention period - how long it is kept and on what basis, taken from the data retention policy.
• Supporting assets - the hardware, software, and services the information depends on.

How it differs from a hardware asset register

The two registers slice the same world along different axes. A hardware register tracks devices, each with one entry and one holder; an information asset spans many devices, and one device can hold pieces of many information assets. Their lifecycles end differently too: a device’s life ends with disposal through an ITAD process, while an information asset’s life ends with deletion - and proving deletion requires data sanitization of every device and backup that held a copy. That is exactly why the registers must cross-reference: when a laptop is lost, the hardware register tells you which machine, and the IAR tells you what information was exposed.

The role in GDPR and ISO 27001

The IAR is the quiet workhorse behind two compliance regimes. For GDPR, it underpins the Article 30 record of processing, scopes subject access requests (“where could this person’s data be?”), and makes breach assessment possible at speed. For ISO 27001, the inventory control requires information and its associated assets to be listed, owned, and kept current - certification auditors routinely sample the register, ask owners whether they know what they own, and check entries against reality. In both cases an absent or stale register converts a contained incident into an open-ended one, because nobody can say with confidence what was affected.

Keeping the register useful

The classic failure is the register built once for a certification push and never touched again - within a year it describes an organisation that no longer exists. The habits that prevent it: new systems and data collections get an entry as part of go-live, decommissioned ones get an end date rather than silent deletion, and each owner reviews their entries on a fixed cycle. It helps to keep the register next to the operational asset data people already maintain; AMPthilly’s register treats digital records and licences as asset types alongside the hardware they live on, with named owners and custom fields per asset type, so the device-side half of the cross-reference stays current as equipment changes hands. Sectors with regulated equipment - medical devices, lab equipment - feel this most, since one instrument can be simultaneously a physical asset, a data source, and a compliance record.

Related terms

• Data Retention Policy - supplies the keep-for-how-long answer each entry needs
• Asset Management Policy - the governing document for how assets of all kinds are owned and handled
• Acceptable Use Policy - the rules for the people using the information and its devices
• ITAD - secure disposal of the hardware that information assets live on
• Data Sanitization - how an information asset is verifiably destroyed at end of life