IT Asset Management for ISO 27001:2022 Compliance

Name: IT Asset Management for ISO 27001:2022 Compliance
Rating: 4.2 (132 reviews)

Master information asset identification, classification, lifecycle, and Annex A controls A.5.9 through A.5.14

Role Play

Created byISO Horizon

Last updated 5/2026

English

What you'll learn

Identify and document every category of information asset required by ISO/IEC 27001:2022
Implement Annex A controls A.5.9 through A.5.14 with policies, procedures, and evidence auditors will accept
Design a classification scheme that rates assets across confidentiality, integrity, and availability
Build and maintain an asset register that survives cloud, mobile, and dynamic environments
Assign asset ownership and custodianship to satisfy ISO/IEC 27005:2022 risk assessment inputs
Manage the full asset lifecycle from acquisition to secure disposal under NIST SP 800-88 Rev. 1
Integrate your ISMS asset register with CMDB and software asset management platforms
Discover and govern shadow IT across SaaS and cloud environments using modern tooling

Course content

6 sections • 27 lectures

What Is an Information Asset8:42
Welcome to the foundational concept that drives every information security program. An information asset is anything of value to the organization that stores, processes, transmits, or supports information, and ISO/IEC 27001:2022 expects you to know exactly what you have before you protect it. You will learn the formal definition adopted by ISO/IEC 27000, the difference between primary assets such as business information and supporting assets such as servers and people, and why value is judged through the lens of confidentiality, integrity, and availability rather than purchase price. Concrete examples will ground the concept: a customer database, the laptop it sits on, the database administrator who maintains it, the air-conditioned server room that keeps it running, and even the brand reputation that depends on its protection. By the end you will be able to look at any business process and identify the chain of assets that quietly support it.
ISO 27001:2022 Asset Management Requirements at a Glance8:16
ISO/IEC 27001:2022 weaves asset management through the main clauses and Annex A, and you need a clear mental map of where the requirements live. This lecture walks you through Clause 6.1.2 risk assessment expectations that depend on knowing your assets, Clause 8 operational planning where asset controls are executed, and the six Annex A controls that govern assets directly: A.5.9 inventory of information and other associated assets, A.5.10 acceptable use, A.5.11 return of assets, A.5.12 classification of information, A.5.13 labelling of information, and A.5.14 information transfer. You will also see how the 2022 revision consolidated and renumbered the older A.8 asset management family from the 2013 edition, and how the four new attributes — control type, information security properties, cybersecurity concepts, and operational capabilities — help you tag asset controls inside your Statement of Applicability.
Asset Categories: Hardware, Software, Data, People, Services, and Facilities7:48
An asset register that only lists laptops is an audit finding waiting to happen. ISO/IEC 27001:2022 and its companion guidance ISO/IEC 27005 expect you to recognize a full spectrum of asset types, and this lecture walks through each one with vivid examples. Hardware includes servers, network gear, mobile devices, and IoT sensors. Software covers operating systems, applications, firmware, and APIs. Data ranges from structured databases to unstructured documents, backups, and logs. People are assets because of the knowledge they hold and the access they wield. Services include outsourced cloud platforms, managed security providers, and even utilities like power and internet connectivity. Facilities cover data centres, offices, and secure storage. Intangible assets such as reputation, intellectual property, and licences round out the picture. You will leave with a checklist mindset that ensures no category is forgotten when you build your inventory.
Why Asset Management Is the Backbone of Your ISMS8:13
Every other ISMS process — risk assessment, access control, incident response, business continuity, supplier management — depends on knowing what you are protecting. This lecture makes the business case crystal clear. You will see how a complete and accurate asset register slashes incident response times, prevents licence overspending, accelerates audits, and gives executives the visibility they need to fund security properly. Real-world cautionary tales illustrate what happens when assets go untracked: forgotten servers running unpatched software, ex-employees with active accounts, shadow SaaS subscriptions leaking customer data, and end-of-life equipment dumped without secure wiping. You will also see how asset management aligns ISO 27001 with adjacent frameworks like NIST CSF, CIS Controls v8, and ITIL 4, so your investment pays dividends across the entire governance landscape.
Section 1 Quiz: Foundations of Information Asset Management in ISO 27001
Roleplay: Foundations of Information Asset Management in ISO 27001

Asset Identification Methods That Actually Work8:39
You cannot inventory what you cannot find, and ISO/IEC 27001:2022 control A.5.9 requires a complete inventory of information and other associated assets. This lecture teaches three complementary identification methods used by mature ISMS programs. Top-down identification starts with business processes and traces the information they consume and the systems that support them. Bottom-up identification scans networks, endpoints, and cloud tenants to discover what is actually running. Documentation review mines existing sources like procurement records, CMDB entries, HR systems, and finance asset registers for assets already known elsewhere. You will learn how to combine all three so nothing slips through the cracks, how to scope the exercise so it does not boil the ocean, and how to handle awkward edge cases like personal devices under BYOD policies and ephemeral cloud workloads that exist for only minutes.
Designing the Asset Register Structure9:39
A good asset register is more than a spreadsheet of serial numbers. ISO/IEC 27005:2022 and ISO/IEC 27001:2022 Annex A.5.9 expect each entry to carry enough metadata to drive risk assessment and control selection. This lecture walks you through the fields a defensible register must include: unique asset identifier, asset name and description, asset type and category, location, owner, custodian, classification level, business process supported, dependencies on other assets, lifecycle stage, and review date. You will see sample register templates for small organizations using spreadsheets and for larger ones using dedicated GRC platforms or CMDB-integrated systems. Practical guidance covers how to handle grouping when individual assets are too numerous to list separately, such as treating an entire fleet of identical workstations as a single asset class with summary attributes.
Asset Ownership and Custodianship8:35
Every asset needs a named owner — a person, not a department — who is accountable for its protection. ISO/IEC 27001:2022 makes ownership a cornerstone of Annex A.5.9 because without it controls never get implemented and risks never get treated. This lecture clarifies the often-confused distinction between asset owner and asset custodian. The owner is typically a business manager who understands the asset's value and makes decisions about its classification, access, and acceptable use. The custodian is usually an IT or operations role responsible for day-to-day protection: backups, patching, monitoring, and physical security. You will learn how to assign ownership for tricky cases like shared infrastructure, cloud services owned by vendors, and information assets that span multiple business units, plus how to document ownership transitions when people change roles or leave.
Discovery Tools and Automated Inventory8:53
Manual inventories go stale the moment they are published. Modern ISMS programs rely on automated discovery to keep asset registers current, and this lecture surveys the tooling landscape. Network scanners like Nmap and Lansweeper find devices on the wire. Endpoint management platforms such as Microsoft Intune, Jamf, and ManageEngine inventory laptops and mobile devices. Cloud-native tools like AWS Config, Azure Resource Graph, and Google Cloud Asset Inventory track ephemeral workloads. SaaS management platforms such as Torii and Zylo discover unsanctioned applications by analyzing single sign-on logs and expense reports. Vulnerability scanners double as discovery tools, and CMDBs like ServiceNow consolidate the feeds. You will learn how to architect a multi-source discovery pipeline that reconciles overlapping data, flags discrepancies, and feeds a single source of truth that your auditors can trust.
Keeping the Register Accurate in Dynamic Environments9:56
Cloud autoscaling, container orchestration, and continuous deployment mean assets appear and disappear by the second. ISO/IEC 27001:2022 still expects your inventory to be accurate, so you need a strategy that survives velocity. This lecture covers event-driven inventory updates triggered by infrastructure-as-code pipelines, periodic reconciliation jobs that compare discovered state against the register, and exception workflows that escalate orphaned or unmanaged assets to owners. You will learn how to set realistic refresh cadences for different asset classes — real-time for cloud workloads, daily for endpoints, weekly for facilities — and how to define acceptable variance thresholds before an auditor calls your register stale. Governance practices such as quarterly owner attestations, annual full reviews, and change-management integration round out a register that stays alive rather than dying on the shelf.
Section 2 Quiz: Building and Maintaining the Asset Inventory — Control A.5.9
Roleplay: Building and Maintaining the Asset Inventory — Control A.5.9

Designing an Information Classification Scheme8:26
ISO/IEC 27001:2022 Annex A.5.12 requires information to be classified according to the organization's information security needs based on confidentiality, integrity, availability, and relevant interested party requirements. This lecture teaches you how to design a scheme that is usable rather than theoretical. You will learn the classic four-tier model — Public, Internal, Confidential, Restricted — used by many enterprises, and the alternative three-tier and five-tier models that suit smaller or highly regulated organizations. The lecture grounds each level in concrete examples: marketing brochures as Public, internal org charts as Internal, customer financial records as Confidential, and strategic acquisition plans or regulated personal data as Restricted. You will also see how to align your scheme with sector-specific frameworks like the US Federal Information Processing Standard 199, the UK Government Security Classifications Policy, and NATO classification markings when interoperability is required.
Confidentiality, Integrity, and Availability Levels9:01
Classification is not only about secrecy. ISO/IEC 27001:2022 and ISO/IEC 27005:2022 expect you to evaluate each asset across the full CIA triad because some assets demand high integrity or availability even if their confidentiality is low. This lecture teaches you how to define separate rating scales for each property — typically low, medium, high, and sometimes very high — and how to score assets against each. A public web server may rate low for confidentiality but very high for availability. A financial ledger rates very high for integrity because tampered figures could be more damaging than leaked ones. You will learn how to combine the three ratings into an overall asset criticality score, how to handle assets where the three properties pull in different directions, and how the resulting profile drives control selection downstream in your risk treatment plan.
Labelling Information and Associated Assets7:38
ISO/IEC 27001:2022 Annex A.5.13 requires an appropriate set of procedures for information labelling to be developed and implemented in accordance with the classification scheme. Labels make classification visible so people handle assets correctly. This lecture covers the spectrum of labelling techniques: visual headers and footers on documents, watermarks on sensitive printouts, coloured folder tabs for physical records, metadata tags embedded in files using tools like Microsoft Purview Information Protection and Google Workspace labels, email subject prefixes, and asset tags on hardware. You will learn the difference between persistent labels that travel with the data and contextual labels applied by systems based on location or recipient, plus the special challenges of labelling unstructured data, voice recordings, and information shared with third parties who may not honour your scheme.
Handling Rules by Classification Level7:11
Classification only delivers value when it drives behaviour. This lecture translates classification levels into concrete handling rules covering storage, transmission, access, copying, printing, retention, and destruction. You will see a complete handling matrix that maps each classification level to allowed actions: Public information may be posted to the corporate website, Internal information may be shared inside the company network but not externally, Confidential information requires encryption in transit and at rest plus access logging, and Restricted information demands multi-factor authentication, geographic restrictions, and approval workflows for any sharing. The lecture also covers how to handle aggregation effects where low-classification data combined together becomes high-classification, how to manage reclassification as information ages or context changes, and how to communicate handling rules through training and just-in-time prompts embedded in collaboration tools.
Section 3 Quiz: Information Classification and Labelling — Controls A.5.12 and A.5.13
Roleplay: Information Classification and Labelling — Controls A.5.12 and A.5.13

Acceptable Use of Information and Associated Assets — Control A.5.107:16
ISO/IEC 27001:2022 Annex A.5.10 requires rules for the acceptable use of information and other associated assets to be identified, documented, and implemented. This lecture shows you how to build an acceptable use policy that employees will actually read and follow. You will learn the essential clauses every AUP needs: authorized purposes, prohibited activities such as personal cryptocurrency mining or unauthorized software installation, expectations around personal use of corporate devices, monitoring disclosures, rules for connecting personal devices to corporate networks, and consequences for violations. The lecture covers how to tailor the AUP to different audiences — employees, contractors, third parties, privileged users — and how to obtain documented acknowledgement during onboarding and after material updates. You will also see how to integrate the AUP with disciplinary processes and data protection notices so it stands up legally.
Return of Assets at Termination — Control A.5.119:19
ISO/IEC 27001:2022 Annex A.5.11 requires personnel and other interested parties to return all the organization's assets in their possession upon change or termination of their employment, contract, or agreement. This lecture builds an end-to-end offboarding process that closes every loop. You will learn how to maintain a per-person asset assignment list throughout employment, how to trigger return workflows from HR systems on the day notice is given, how to track physical returns of laptops, phones, badges, tokens, and storage media, and how to handle the trickier question of intellectual asset return — proprietary knowledge, customer relationships, and information stored in personal cloud accounts or notebooks. Special procedures for remote workers who must ship equipment back, contractors whose engagements end abruptly, and departures under unfriendly terms ensure no gap in coverage.
Secure Information Transfer — Control A.5.1410:22
ISO/IEC 27001:2022 Annex A.5.14 requires information transfer rules, procedures, or agreements to be in place for all types of transfer facilities within the organization and between the organization and other parties. This lecture covers the full landscape of information transfer: electronic transfer via email, file sharing platforms, and APIs; physical transfer of documents and storage media via post or courier; and verbal transfer in meetings and phone calls. You will learn how to select appropriate cryptographic protection for each transfer channel, how to negotiate non-disclosure agreements and data sharing agreements with external parties, how to handle cross-border transfers under regimes like the EU GDPR and the UK Data Protection Act 2018, and how to use approved channels such as managed file transfer platforms, encrypted email gateways, and Data Loss Prevention enforcement to keep information from leaking through unsanctioned routes.
Asset Handling Across the Day-to-Day9:45
Beyond the named Annex A controls, daily asset handling involves dozens of small decisions that either reinforce or undermine your ISMS. This lecture walks through the operational rhythm: clean desk and clear screen practices that protect physical and on-screen information, secure printing workflows that release jobs only when the user authenticates at the printer, removable media controls that block USB drives by default, mobile device management profiles that enforce encryption and remote wipe, and visitor management procedures that protect facilities-based assets. You will see how to translate ISO/IEC 27001:2022 expectations into laminated desk guides, kitchen-poster reminders, and onboarding videos that make secure handling the path of least resistance rather than a bureaucratic burden. The lecture also covers how to monitor compliance through walkthroughs, automated DLP alerts, and periodic mystery-shopper exercises.
Section 4 Quiz: Acceptable Use, Return, and Transfer — Controls A.5.10, A.5.11, A.5.14
Roleplay: Acceptable Use, Return, and Transfer — Controls A.5.10, A.5.11, A.5.14

Acquisition and Secure Provisioning12:24
An asset's security posture is largely set the moment it enters the organization, so ISO/IEC 27001:2022 expects controls to start at acquisition. This lecture covers procurement-stage security requirements: supplier due diligence aligned with Annex A.5.19 through A.5.23, security clauses in purchase orders and contracts, hardware authenticity checks to spot counterfeit components, software supply chain attestations such as SBOMs and SLSA provenance, and licence verification to keep software asset management auditable. You will then walk through secure provisioning steps: baseline hardening using benchmarks like CIS or DISA STIGs, joining devices to identity and management platforms, enrolment in endpoint detection tools, registration in the asset register with full metadata, and assignment to a named owner. By the time the asset is handed to its user, every downstream control already has a foothold.
Operational Use and Maintenance8:07
Most of an asset's life is spent in steady-state operation, and this is where complacency creeps in. ISO/IEC 27001:2022 expects continuous maintenance of security throughout the operational phase. This lecture covers the operational rhythm: vulnerability scanning and patch management aligned with Annex A.8.8, configuration drift detection, certificate and licence renewal tracking, capacity and performance monitoring that flags availability risks, periodic access reviews tied to ownership, and scheduled health checks that verify the asset still serves its intended business purpose. You will learn how to handle planned changes through formal change management, how to integrate asset events with the ISMS so a server reaching end-of-support automatically opens a risk treatment task, and how to balance the cost of maintenance against the residual risk of running ageing infrastructure.
Secure Disposal and Decommissioning8:14
End of life is the most overlooked phase and one of the most dangerous. ISO/IEC 27001:2022 Annex A.7.14 covers secure disposal or re-use of equipment, and this lecture turns that requirement into a defensible process. You will learn approved data sanitization methods aligned with NIST Special Publication 800-88 Revision 1 guidelines for media sanitization: clear, purge, and destroy techniques chosen based on media type and data classification. The lecture covers cryptographic erasure for self-encrypting drives, physical destruction by shredding or degaussing for highly classified media, and certified third-party disposal services that provide certificates of destruction. You will also see how to handle cloud asset decommissioning where physical destruction is impossible, how to reclaim licences and revoke certificates, how to update the asset register and CMDB, and how to capture lessons learned for the next refresh cycle.
Lifecycle Governance and Refresh Planning8:20
Lifecycle management only works if someone is steering it. This lecture covers the governance layer that keeps assets moving through their stages on time. You will learn how to set technology refresh policies that balance security, cost, and sustainability — typically three to five years for endpoints, longer for infrastructure — and how to forecast refresh budgets using register data on age and end-of-support dates. The lecture covers stage-gate reviews that confirm an asset is ready to move from pilot to production or from production to retirement, key performance indicators such as mean asset age, percentage of assets past end-of-support, and time-to-decommission, and reporting templates that give the CISO and CFO a shared view. You will also see how to align refresh cycles with ISO 27001 management review inputs so investment decisions are traceable to risk.
Section 5 Quiz: Asset Lifecycle Management from Acquisition to Disposal
Roleplay: Asset Lifecycle Management from Acquisition to Disposal

The Asset Register as the Input to Risk Assessment9:00
ISO/IEC 27001:2022 Clause 6.1.2 requires a documented information security risk assessment process, and ISO/IEC 27005:2022 explicitly identifies assets as one of the primary inputs. This lecture shows you how to drive risk identification from the asset register. You will learn how to walk each asset through threat catalogues such as ENISA's threat landscape or the MITRE ATT&CK framework, identify applicable vulnerabilities, and estimate likelihood and impact in terms of the asset's CIA ratings. The lecture covers asset-based methodologies favoured by many ISO 27001 implementers, scenario-based methodologies that group assets by business process, and hybrid approaches that combine both for completeness. You will see how to avoid the common trap of risk-register-by-asset explosion that produces thousands of trivial entries no one will ever treat.
Asset Value, Risk Appetite, and Control Selection9:43
Classification and asset value translate directly into how much protection an asset deserves, and ISO/IEC 27001:2022 expects this linkage to be explicit. This lecture teaches you how to convert classification levels and CIA ratings into risk appetite statements that guide control selection from Annex A. You will see how a Restricted asset with high confidentiality automatically inherits strong access controls, encryption, monitoring, and audit logging requirements, while a Public asset with high availability inherits redundancy and capacity controls without the cryptographic overhead. The lecture covers how to document this logic in your Statement of Applicability so auditors can trace any selected control back to the assets and risks that justify it, and how to handle exceptions where the business chooses to accept residual risk above the appetite for cost or usability reasons.
Integrating with CMDB and Software Asset Management8:31
Few organizations have the luxury of building an ISO 27001 asset register from scratch — most have an existing Configuration Management Database and a Software Asset Management platform. This lecture shows you how to integrate rather than duplicate. You will learn how the CMDB, typically built on ITIL 4 service management principles in tools like ServiceNow or BMC Helix, can serve as the technical backbone of your ISMS asset register if you extend it with classification, ownership, and risk fields. SAM platforms such as Flexera or Snow Software contribute licence and software inventory data that satisfies parts of A.5.9 while preventing costly licence audit failures. The lecture covers field mapping, synchronization patterns, governance committees that prevent the two registers from diverging, and how to present a unified view to ISO 27001 auditors who want one source of truth.
Cloud Asset Management Challenges7:43
Cloud breaks many of the assumptions baked into traditional asset management. Resources spin up and down by the second, ownership is shared between you and the provider under shared responsibility models, and visibility depends on APIs rather than physical sight. This lecture tackles ISO 27001 asset management in AWS, Azure, Google Cloud, and SaaS environments. You will learn how to use native tools like AWS Config, Azure Resource Graph, and Google Cloud Asset Inventory to build dynamic registers, how to apply tagging strategies that map cloud resources to business owners and classification levels, how to handle the asset definition of an entire SaaS tenant versus the individual records inside it, and how to negotiate the contractual right to inventory and audit data from your providers under Annex A.5.19 supplier relationships and A.5.23 information security for use of cloud services.
Shadow IT Discovery and Control12:26
Shadow IT — assets acquired and used outside official channels — is the silent killer of asset registers and a frequent ISO 27001 audit finding. This lecture teaches you how to find what people are hiding without becoming the enemy of innovation. You will learn discovery techniques using Cloud Access Security Broker tools like Microsoft Defender for Cloud Apps and Netskope, expense report analysis to spot SaaS subscriptions paid on credit cards, DNS and proxy log mining, and single sign-on analytics. The lecture covers the diplomatic response: a fast-track sanctioning process that brings discovered tools into the register and under appropriate controls when they meet a real business need, and a graceful retirement process when they do not. You will also see how to address the root causes — slow procurement, restrictive policies, missing capabilities — that drive shadow IT in the first place.
Audit Readiness and Continuous Improvement9:02
The final test of your asset management programme is the certification audit. ISO/IEC 27001:2022 auditors will sample your asset register, trace selected assets to their owners and classifications, verify handling rules are implemented, and check disposal records. This lecture walks you through audit-readiness practices: maintaining evidence files for each Annex A control from A.5.9 through A.5.14, running internal audits aligned with ISO 19011 guidelines six months before the external audit, conducting management reviews under Clause 9.3 that examine asset management KPIs, and tracking nonconformities to closure under Clause 10.1. You will also learn continuous improvement techniques: maturity assessments using models like the Open Information Security Management Maturity Model, benchmarking against industry peers, and feeding lessons from incidents and audits back into your asset processes so each certification cycle leaves you stronger than the last.
Section 6 Quiz: Risk, Integration, and Modern Asset Management Challenges
Roleplay: Risk, Integration, and Modern Asset Management Challenges

Requirements

Basic familiarity with information security concepts such as the CIA triad
General awareness of ISO/IEC 27001 as a management system standard
Working knowledge of typical IT environments including endpoints, servers, and cloud services
No prior asset management or auditing experience required

Description

Information assets are the lifeblood of every modern organization, and ISO/IEC 27001:2022 makes one thing crystal clear: you cannot secure what you have not identified, classified, and assigned an owner. Yet most ISMS implementations stumble at exactly this point — asset registers go stale within weeks, classification schemes gather dust, shadow IT proliferates unchecked, and certification auditors find gaps that derail the project. This course gives you the practical playbook to make IT asset management the rock-solid foundation of a defensible ISO 27001 programme.

Across six focused sections you will learn the formal definition of an information asset, the six asset-related Annex A controls — A.5.9 inventory of information and other associated assets, A.5.10 acceptable use of information, A.5.11 return of assets, A.5.12 classification of information, A.5.13 labelling of information, and A.5.14 information transfer — and exactly how to implement each one. You will design a multi-tier classification scheme grounded in confidentiality, integrity, and availability ratings, build an asset register that satisfies auditors using both manual and automated discovery techniques, and assign ownership and custodianship to named individuals in line with ISO/IEC 27005:2022 guidance.

The course is built for information security managers, ISMS implementers, IT asset managers, internal auditors, and compliance officers who need to operationalize ISO 27001:2022 asset controls without reinventing the wheel. You will cover the full asset lifecycle from acquisition through secure disposal aligned with NIST SP 800-88 Rev. 1, integrate your ISMS register with existing CMDB and software asset management platforms, conquer the visibility challenges of cloud and SaaS environments, hunt down shadow IT diplomatically, and use the asset register as the engine that drives risk assessment, control selection, and your Statement of Applicability.

Unlike generic ISO 27001 overviews, this course goes deep on one mission-critical domain and gives you the templates, decision frameworks, and audit-ready practices that make the difference between a certificate on the wall and an ISMS that actually protects the business. Enroll now and turn asset management from your weakest link into your strongest argument the next time a certification auditor walks through the door.

Who this course is for:

Information security managers responsible for ISO 27001 implementation
IT asset managers extending their remit into security and compliance
ISMS implementers and consultants supporting certification projects
Internal auditors and compliance officers reviewing asset-related controls
IT operations and governance professionals integrating CMDB with security

IT Asset Management for ISO 27001:2022 Compliance

What you'll learn

Explore related topics

Course content

Section 1: Foundations of Information Asset Management in ISO 270015 lectures • 33min

Section 2: Building and Maintaining the Asset Inventory — Control A.5.96 lectures • 46min

Section 3: Information Classification and Labelling — Controls A.5.12 and A.5.135 lectures • 32min

Section 4: Acceptable Use, Return, and Transfer — Controls A.5.10, A.5.11, A.5.145 lectures • 37min

Section 5: Asset Lifecycle Management from Acquisition to Disposal5 lectures • 37min

Section 6: Risk, Integration, and Modern Asset Management Challenges7 lectures • 56min

Requirements

Description

Who this course is for: