A.5.9 Inventory of Information and Other Associated Assets
What is this control?
ISO 27001 control A.5.9 Information and Other Associated Assets Inventory identifies and maintains a live inventory of the organisation’s information and associated assets including endpoints, identities, data, infrastructure, and software to preserve their information security and assign appropriate ownership. The control uses federated, authoritative systems rather than static documents, with Microsoft Intune as the primary CMDB for endpoints and Microsoft Entra ID for identity assets.
How to implement in Microsoft 365
Implement A.5.9 using Microsoft Intune as the primary endpoint CMDB, auto-populated on device enrolment with serial number, primary user, compliance state, and discovered applications. Use Microsoft Entra ID as the definitive inventory for human and non-human identities including Service Principals and Managed Identities. Deploy Microsoft Purview Data Map and Content Explorer for live data inventory based on content and applied Sensitivity Labels.
Query Azure Resource Graph for all cloud infrastructure assets. Use Azure DevOps repositories to inventory IaC and CaC assets. Maintain a Business Ownership Register in SharePoint mapping high-level data categories to designated business owners.
What an auditor looks for
Auditors will verify that Intune contains managed devices with primary user assigned and compliance state tracked. They will check that Purview sensitivity labels are applied to data assets visible in Content Explorer. Auditors will verify that Azure Resource Graph can be successfully queried for all infrastructure assets.
They will review the Data Asset Ownership Register on SharePoint with categories, owners, and review dates. Auditors will examine device lifecycle evidence including Autopilot provisioning and retirement records. They will verify that data retention policies are configured and enforced in Purview.