Inventory of Assets

When you start to perform your risk assessment, you will inadvertently have to maintain an inventory of assets. So what is an inventory of assets?

Let's start with an asset. An asset is anything (or anyone) that has some inherent value to the organisation. On it's own, that statement doesn't really mean anything - it simply says anything of value. The problem with value is that is very subjective, so we need some guidance.

Annex A.8 has detailed control requirements around how assets should be managed.

Let's take a look at ISO 27005. It has some examples of what an asset could be.

Examples of assets categories

Procedure for asset management

When defining your inventory of assets for the purposes of your ISMS, you should define two lists.

In another example, when performing a risk assessment for your ISMS, you won't necessarily perform a risk assessment against a single server that may be hosted in your local computer room, instead, you'll do a risk assessment for all servers.

Consider for a moment that the risk of malware infecting your network. It will be highly impractical if you were to perform the same risk assessment against every single server and workstation in your environment. Instead, it makes a lot more sense to simply state a risk of malware infection on all Windows servers can disrupt business operations. Similarly, you can have Windows Servers listed as an asset on your inventory of assets. The Secondary List can contain the specific list of every individual server.


Every asset is different. Some are more important than others. Consider the CIA of the asset. Some assets (like payroll data) may highly confidential, but do not need to be available all the time. Your corporate website may not be confidential at all, but if suppliers can't access your information, you could lose potential sales, so the availability becomes critical. Other information, like sales data being tramsitted over EDI, may not be very confidential, but the integrity of the data is crucial, as wrong data could result in incorrect orders being shipped (imagine someone changing an order for 10 new laptops to 10,000 new laptops -- that's a huge embarrasment if you were to sent 9,990 more machines to the customer than what they ordered, not to mention the revenue loss!)

When we summarize the CIA criticaility for each of the assets, we'll get a sense of where the importance of our assets are. By using the highest rating, you end up with the organisation's result for the impact of the asset.

Asset Confidential Integrity Availability Result
Payroll data 3 2 1 3
Corporate website 1 2 2 2
EDI Sales Order 1 3 2 3

The result of your assessment can be captured in your inventory of assets.

Asset Inventory Example

You can now create the inventory. Feel free to expand on the fields if you believe you need to capture additional information. Do not forget to follow the principles of document management when you create this important document.

Category Identifier Owner Classification Date Reviewed
Hardware Windows Servers (list to server list) B.Gates 3 2022.01.30
Software eCommerce websites J.Bezos 2 2021.09.20
Hardware Electric Vehicles E.Musk 2 2022.02.20