Back to all documents
    Annex A & Operational Policies
    policy
    operations
    inventory

    Asset Management Policy

    Identification, ownership and handling of information assets (Annex A 5.9).

    Failed to load preview.

    About this Asset Management Policy

    The Asset Management Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.9 of the ISO 27001 Annex A control set.

    Identification, ownership and handling of information assets (Annex A 5.9). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to Annex A 5.9
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Annex A 5.9 - Inventory of information and other associated assets
    • Annex A 5.10 - Acceptable use of information and other associated assets
    • Annex A 5.11 - Return of assets
    • Annex A 7.9 - Security of assets off-premises
    • Annex A 7.14 - Secure disposal or re-use of equipment

    How to customise

    • - Define asset types covered (information, hardware, software, services).
    • - Assign asset owners and acceptable use rules.
    • - Reference the asset inventory and classification scheme.
    • - Set the lifecycle process from acquisition to disposal.

    Evidence auditors may expect

    • - Asset inventory with owner and classification
    • - Acceptable use acknowledgements
    • - Return-of-assets records on leaver events
    • - Secure disposal certificates

    Auditor may ask

    Q.How is the asset inventory kept current?
    Q.Who owns each asset and how are owners assigned?
    Q.How are assets returned and disposed of securely?
    Q.How does asset classification link to handling rules?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Asset Management Policy

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).