You cannot protect what you do not know you have — and you cannot certify it either. Every information security management system stands on an asset inventory: the risk assessment scopes it, the Statement of Applicability assumes it, and dozens of other controls — acceptable use, return of assets, secure disposal, endpoint protection — inherit its accuracy. That is why ISO/IEC 27001:2022 places the inventory near the top of Annex A as control 5.9, and why experienced auditors go straight to it.
What control 5.9 says — and where it came from
Annex A control 5.9 requires that an inventory of information and other associated assets, including owners, shall be developed and maintained. The 2022 revision consolidated two controls from the 2013 edition — A.8.1.1 (inventory of assets) and A.8.1.2 (ownership of assets) — into one organisational control within the restructured Annex A of 93 controls. Since the transition window for 2013-edition certificates closed at the end of October 2025, every ISO 27001 audit now runs against this wording. Three phrases carry the weight:
- “Information and other associated assets” — not just data. Hardware, software, services, facilities and people-dependent assets that store or process information are in scope: the laptop fleet, the comms rooms, the SaaS estate, the backup drives in the safe.
- “Including owners” — every asset needs a named owner accountable for its classification, handling and lifecycle. Unowned rows in the register are audit findings in waiting.
- “Developed and maintained” — a point-in-time spreadsheet satisfies neither verb. The supporting guidance in ISO/IEC 27002:2022 expects the inventory to be accurate, up to date and consistent with other inventories, with reviews at planned intervals.
What certification auditors actually test
Audit method is straightforward and unforgiving — sampling in both directions:
- Floor to record. The auditor picks devices in the office — a laptop, a switch, a printer — and asks to see them in the inventory, with the right owner, location and classification.
- Record to floor. The auditor picks rows from the inventory and asks to be shown the physical asset. Ghost records — devices long disposed of, lost or sitting with ex-employees — surface here.
- Process evidence. When was the inventory last verified against reality? Who reviewed it? How do joiners-movers-leavers, procurement and disposal feed it? Recurring nonconformities cluster on exactly these questions.
This is where tool-only inventories fail. Network discovery, MDM and agent-based tools are necessary — but they only see what is powered on, connected and instrumented. The drawer of leaver laptops, the spare switches in the store room, the decommissioned server still racked: invisible to the tool, fully visible to the auditor walking the floor. The fix is the one used for financial assets for decades: a physical, wall-to-wall count reconciled against the system records — floor-to-record and record-to-floor — exactly the discipline behind our IT asset inventory & audit services in the UAE and our broader fixed asset verification practice.
Building an inventory that passes — and stays passed
- Baseline physically. Count everything once, wall to wall, and tag as you go — barcode, QR or RFID (see asset tagging services in the UAE) — so every subsequent verification is a scan, not an archaeology project.
- Reconcile the three layers. Physical count, discovery/MDM output and the CMDB or asset register must agree; exceptions get investigated, not overwritten.
- Assign owners as data, not prose. Owner is a mandatory field keyed to the HR record, so leavers automatically orphan their assets into a review queue.
- Set a verification cadence. Annual full counts plus cycle counts for mobile, high-risk classes; quarterly for removable media if your risk assessment says so. Document the cadence and keep the count reports — they are the audit evidence.
- Connect lifecycle events. Procurement, deployment, transfer, repair and disposal each update the inventory in-flow, with secure-disposal certificates attached to the record.
The UAE overlay: PDPL, DIFC and ADGM
For UAE organisations, control 5.9 does double duty. The UAE Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 — expects controllers to implement appropriate technical and organisational measures and to know where personal data is processed and stored. The financial free zones run their own regimes with the same dependency: the DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations 2021 both assume you can map personal data to the systems and devices that hold it. An asset inventory that is wrong about devices produces a data map that is wrong about data — and a breach response that starts with “we did not know that server existed”. Government and critical-infrastructure entities add the UAE Information Assurance Standards, where asset management is a baseline control family. One physically verified inventory, maintained well, feeds all of these programmes plus the seven-year record-keeping the FTA expects behind IT assets in the corporate tax computation.
Where CPCON fits — and where we deliberately do not
CPCON is not a certification body, and we make no claim to ISO or SOC certifications of our own. Certification belongs to your organisation and its accredited auditor. Our role is the part no tool and no policy can do from a desk: 30 years and 4,500+ projects of physical inventory discipline, applied to your estate — the wall-to-wall count, the tagging, the three-way reconciliation and the evidence pack your auditor samples under control 5.9. Banks have used us for exactly this at scale; see how a banking leader improved IT asset visibility.
Frequently asked questions
What does ISO 27001 control 5.9 actually require?
Annex A control 5.9 of ISO/IEC 27001:2022 requires an inventory of information and other associated assets — including their owners — to be developed and maintained. In practice that means a documented, current register covering devices, software, information and supporting assets, each with a named owner, kept accurate through defined review and update routines.
Did the 2022 revision change the asset inventory requirements?
The substance carried over, consolidated. ISO/IEC 27001:2022 merged the 2013 controls A.8.1.1 (inventory of assets) and A.8.1.2 (ownership of assets) into the single control 5.9, within the reorganised Annex A of 93 controls. With the transition window for 2013 certificates closed since October 2025, every surveillance and recertification audit now tests the 2022 wording.
Will an export from our discovery tool satisfy an ISO 27001 auditor?
Usually not on its own. Discovery output proves what was on the network at scan time — it cannot see powered-off devices, spares, leaver laptops in drawers or equipment that never had an agent, and it says nothing about ownership. Auditors test completeness and accuracy in both directions: sample real devices back to the inventory, and inventory records out to the floor. A periodic physical verification is what closes that loop.
How often should the asset inventory be physically verified?
ISO 27001 does not fix a frequency; it requires the inventory to be accurate and up to date, so the cadence must make that true. Common practice we see in the UAE: a wall-to-wall physical baseline, then annual full counts with rolling cycle counts for high-risk classes such as laptops and removable media — accelerated dramatically where assets carry RFID tags.
Is CPCON an ISO 27001 certification body?
No, and we do not claim ISO or SOC certifications of our own. Certification is granted by accredited certification bodies to your organisation. CPCON is the independent counting and reconciliation specialist — 30 years, 4,500+ projects — that delivers the verified asset inventory and evidence trail your certification auditor samples under control 5.9.
How do UAE data protection laws interact with control 5.9?
They test the same artefact from another angle. The UAE PDPL (Federal Decree-Law No. 45 of 2021), the DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations 2021 all expect controllers to know where personal data is processed and stored and to protect it with appropriate measures. An asset inventory that is wrong about devices is a data map that is wrong about data — one verified inventory feeds both programmes.