Control 5.9 : Inventory of Information and Other Associated Assets

Summary

The organization must identify its information and other associated assets and maintain an inventory of these assets. You cannot protect what you do not know exists; a complete inventory is the baseline for all subsequent security controls.

Applicability

In-Scope: Essential for all organizations. This is the foundation for risk assessment, asset protection, and incident response management.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Hardware Inventory: Use Microsoft Intune to automatically discover and inventory all managed devices (laptops, mobiles, tablets) connecting to the tenant.

• Software Inventory: Utilize the Endpoint Manager dashboard to view and manage all applications installed on company-managed devices.

• Information Assets: Use Microsoft Purview Information Protection to scan and label sensitive data residing in SharePoint, OneDrive, and Exchange.

Evidence Checklist

• Asset Inventory: A central list or database of hardware, software, and information assets.

• Owner Assignment: Evidence that every asset or group of assets in the inventory has a designated asset owner.

• Maintenance Logs: Records showing that the inventory is periodically reviewed and updated to reflect retired or new assets.

Practical Audit Advice

Here are some questions the auditor might ask:

• How does the organization ensure that the asset inventory remains accurate and up-to-date in a dynamic environment?

• Who is responsible for defining the classification and protection requirements for a new type of information asset?

• Can you demonstrate how you track Shadow IT or unmanaged applications that may be storing company data?

• How do you link the assets in your inventory to the specific risks identified in your risk register?