ISO 27001 asset management covers the Annex A controls that require organisations to inventory, assign ownership of, and protect their information assets.
ISO 27001 asset management refers to the Annex A controls in ISO/IEC 27001 that require an organisation to know what information assets it has, give each one a named owner, and protect them through their whole lifecycle - from acquisition to secure disposal. The standard’s logic is blunt: you cannot protect what you have not listed, so an accurate, owned inventory is the foundation that most other security controls stand on.
Where assets sit in the standard
In the 2013 edition, asset controls lived together under section A.8, “Asset management”. The 2022 revision spread them into the organisational controls: 5.9 requires an inventory of information and other associated assets, 5.10 requires rules for their acceptable use, 5.11 requires assets to be returned when people leave, and 5.12 and 5.13 cover classifying and labelling information. The phrase “other associated assets” is doing deliberate work - the standard is about information, but the laptops, office phones, servers, and drives that store or process that information are explicitly in scope, because losing the device is losing the data.
What the inventory must contain
The standard does not prescribe fields, which surprises people expecting a template. What it requires is that the inventory be accurate, kept up to date, and that every asset has an owner. In practice, certification auditors expect to see, per asset: what it is, who owns it, where it is or who has custody of it, its classification, and its lifecycle status. The inventory typically splits across two artefacts that cross-reference each other - an information asset register for the data itself, and a hardware and software register for the devices and systems it lives on. Regulated equipment such as medical devices often ends up in scope twice, as both an operational asset and an information-bearing one.
Ownership and return of assets
Ownership in ISO 27001 means accountability, not possession: the owner is the person answerable for the asset’s classification, protection, and eventual disposal, even if someone else carries it daily. The companion controls close the loop at the edges of employment - users are told the rules through an acceptable use policy before they get the asset, and control 5.11 requires that devices, access cards, and information come back when they leave. Disposal is the other exit: data-bearing equipment must be sanitised or destroyed verifiably, which is where ITAD processes enter the picture.
What certification auditors expect to see
Audits of these controls are sampling exercises. The auditor picks entries from the inventory and asks to see the asset, its owner, and evidence the owner knows they own it; then picks devices from desks and asks to find them in the inventory. They check that the register moved when reality moved - a starter’s kit issued, a leaver’s kit returned, a disposal documented - and that practice matches what the asset management policy says should happen. Stale registers fail quietly here: an inventory last touched at the previous audit is a finding in itself.
ISO 27001 asset management in practice
The organisations that pass comfortably are the ones whose inventory is a working tool rather than a certification artefact - updated at handover, not at audit time. A register such as AMPthilly’s records each asset with a named owner, status, and a permanent audit history of checkouts, returns, transfers, and approvals, which is exactly the evidence trail auditors sample. The deeper payoff is operational: an inventory good enough for ISO 27001 is also the one that answers, on the day a laptop goes missing, what was on it and who was responsible.
Related terms
- Information Asset Register - the data-side inventory the standard expects
- Asset Management Policy - the document defining how assets are owned and handled
- Acceptable Use Policy - the rules communicated to asset users under control 5.10
- Data Retention Policy - governs how long information assets and evidence are kept
- ITAD - the disposal discipline that closes the asset lifecycle securely