A.5.9 / A.5.12 — Is there an inventory of information and assets, classified by sensitivity?
Demonstrate that the organization maintains a complete, current inventory of information and supporting assets, each classified by sensitivity level and mapped to responsible owners.
Description
What this control does
This control requires the organization to maintain a current, centralized inventory of all information assets (databases, file repositories, documents, intellectual property) and supporting physical/logical assets (servers, applications, network devices, cloud services), each tagged with an owner, location, and sensitivity classification (e.g., Public, Internal, Confidential, Restricted). The classification determines handling, access, retention, and protection requirements. Without this inventory, organizations cannot apply risk-proportionate controls, track data flows, or fulfill regulatory disclosure obligations.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, current inventory of information and supporting assets, each classified by sensitivity level and mapped to responsible owners.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive data assets that are unknown, unmonitored, or misclassified as lower sensitivity
- Inability to scope incident response or breach notification due to incomplete asset visibility and missing data classification records
- Over-provisioning or under-provisioning security controls because asset criticality and sensitivity are not systematically documented
- Compliance violations when regulated data (PII, PHI, PCI) exists on systems not identified in inventory or classified incorrectly
- Shadow IT and unmanaged cloud resources proliferating without classification, creating uncontrolled data egress paths
- Loss of intellectual property or competitive advantage when high-value information assets are not inventoried and lack protective controls
- Inefficient decommissioning or data retention management when asset lifecycle status and classification dependencies are undocumented
Testing procedure
How an auditor verifies this control
- Obtain the current asset inventory register, including both information assets (databases, file shares, document repositories) and supporting infrastructure (servers, applications, cloud services).
- Review the organization's information classification policy and scheme to identify defined sensitivity labels (e.g., Public, Internal, Confidential, Restricted) and corresponding handling requirements.
- Select a representative sample of 15-20 assets spanning different asset types, business units, and locations from the inventory register.
- For each sampled asset, verify the presence of mandatory metadata: asset owner, custodian (if applicable), physical/logical location, classification level, and last review date.
- Cross-reference sampled assets against source systems (CMDB, cloud management console, Active Directory, SaaS inventory tools) to confirm the inventory records match deployed reality.
- Conduct interviews with 3-5 asset owners to verify they acknowledge ownership, understand the assigned classification, and apply corresponding protection measures.
- Perform a discovery scan or walkthrough of one business unit or system boundary to identify undocumented assets (shadow IT, orphaned databases, personal file shares) not present in the inventory.
- Review evidence of periodic inventory review cycles (e.g., quarterly attestations, automated reconciliation reports) and validate that classification assignments are reassessed when asset content or use changes.