Most first-time ISO 27001 audits fail on the asset register, not the firewall
Talk to anyone who has been through their first ISO 27001 certification audit and you'll hear the same story. The technical controls hold up. MFA is on. Logging is in place. The penetration test came back fine. Then the auditor says: "Can you show me your inventory of information assets, with owners?" — and the next ninety minutes are damage control.
What gets handed over is a spreadsheet last updated four months ago, with two columns labelled "Owner" full of team names instead of people, no record of when entries were created or changed, and no evidence that any of those owners ever agreed to be on the hook. The auditor doesn't fail you over a firewall rule. They fail you (or raise a major non-conformity) over the register.
This post is about how to not be that team. It covers which ISO 27001 controls actually demand an inventory, what auditors look for, why spreadsheets routinely fall short, and a 30-day path to a register that holds up.
Which controls actually require an inventory
ISO/IEC 27001:2022 moved the asset-management controls into Annex A clauses 5.9 through 5.11 (down from a longer list in the 2013 revision). Three controls do the heavy lifting:
A.5.9 — Inventory of information and other associated assets. You must maintain an inventory of information and "other associated assets" (hardware, software, services, the lot), including owners. The standard is deliberately broad: if a piece of information or a system supports your services and losing it would hurt, it belongs on the list.
A.5.10 — Acceptable use of information and other associated assets. Owners and users must know the rules for handling each asset. In practice this is policy plus evidence the right people have read and accepted it.
A.5.11 — Return of assets. On termination, role change, or contract end, every asset assigned to the leaver must be returned or reassigned. Auditors will ask for evidence — not "we have a process," but the actual handover records for specific people.
Two adjacent controls — A.5.12 (classification) and A.5.13 (labelling) — assume your inventory exists. You can't classify what you haven't listed.
The six things auditors actually look for
Stripped of jargon, an auditor reviewing your asset register is checking six things:
- Completeness and currency. Is the list comprehensive, and is it current? If your headcount grew 20% in the last quarter but the register hasn't grown, that's a red flag.
- A named owner per asset. Not "Marketing." Not "IT." A specific human, with a name.
- Evidence the owner accepted the assignment. Anyone can type a name in a cell. The control is meaningful only when the named person has acknowledged the responsibility.
- Periodic review evidence. Reviewed when? By whom? With what result? "We look at it occasionally" is not evidence.
- Return-on-exit evidence. When someone left in February, what happened to the seven assets they owned? Show me the handover.
- A classification scheme that's actually applied. If your policy says assets are tagged Public / Internal / Confidential, the register should reflect that — consistently.
Notice what isn't on the list: serial numbers, depreciation curves, warranty dates. The ISO 27001 auditor cares about accountability and lifecycle, not procurement detail.
Why most spreadsheet registers fail
Spreadsheets aren't disqualified by the standard. Plenty of small organisations have certified with one. They fail in practice for predictable reasons, mapped to the six audit items above:
- No audit trail of changes. Excel's version history is not designed as control evidence. You can't easily show when an owner changed, who changed it, or why. Items 1 and 4 suffer immediately.
- No acceptance record. Typing "Sarah K." in column D doesn't prove Sarah agreed to anything. Item 3 is structurally impossible without a separate workflow.
- No periodic-review proof. A cell colour or a "Last reviewed" column filled in by one admin proves nothing about who reviewed what. Item 4 fails for the same reason as item 3.
- Stale data. The register decays between audits. By the time prep starts, 20–30% of rows are wrong. Item 1 collapses.
- Offboarding archaeology. When someone leaves, finding their assets is a manual CTRL+F across tabs, and the handover happens informally if at all. Item 5 has no evidence trail.
- Inconsistent classification. Five admins, five interpretations of "Confidential." Item 6 looks tidy until the auditor samples ten rows.
None of these failures are dramatic on day one. They compound. By the time the audit is six weeks away, the gap between the register and reality is too big to close by hand.
What a working register looks like
Three realistic shapes for an ISO 27001-grade asset register, on the six criteria above:
| Spreadsheet | Full ISMS platform | OwndUp | |
|---|---|---|---|
| Complete & current | Manual discipline only | Yes (often via integrations) | Yes — owners maintain their own rows; drift surfaces on the admin dashboard |
| Named owner per asset | Optional, no enforcement | Required | Required and enforced |
| Acceptance evidence | None | Workflow add-on | Built-in — owner notified, accepts, logged |
| Periodic review evidence | Manual cell updates | Yes | Annual re-acknowledgement built in, with audit log |
| Return-on-exit evidence | Manual process, easily skipped | Yes | Offboarding blocks user exit until items are reassigned |
| Classification scheme | Free text, drifts | Full taxonomy management | Tag-based; not a classification taxonomy manager |
| Sweet spot | < 20 people, one disciplined admin | 200+ people, dedicated ISMS owner, broader scope (risk, policies, controls) | 10–500 people, focused on the asset-management clauses |
OwndUp covers A.5.9 and A.5.11 by design, and contributes to A.5.10 via the acceptance log. It is not a full ISMS — it doesn't manage your risk register, your Statement of Applicability, your policies, or your control library. If your audit scope is the whole ISMS and you have nothing in place yet, pair OwndUp with a full ISMS tool (Vanta, Drata, Thoropass, Sprinto, an open-source kit, your call). If your asset register is specifically the gap, OwndUp closes it without the implementation tax of a heavyweight platform.
A 30-day path to an audit-ready inventory
Most teams have four weeks between "we should really fix this" and "the auditor is on site." Here's how to spend them.
Week 1 — Discovery. Build the one true list. Pull credit-card statements, expense reports, SSO logs, and SaaS-management data if you have it. Walk each department lead through their tools and hardware. Add everything that, if lost or compromised, would meaningfully hurt the business. Don't classify yet. Don't worry about owners yet. Just get the list complete.
Week 2 — Ownership assignment. For every asset, identify one specific person — not a team — who is best placed to be accountable. Disagreements surface here, and that's the point. If two people both think they own a tool, neither does. Resolve it. If nobody does, find the person closest to it and have the conversation.
Week 3 — Acceptance and classification. Send each owner a list of their assets. Ask them to confirm ownership in writing (email, ticket, tool — pick one and stick to it). At the same time, apply your classification scheme. If you don't have one yet, start simple: Public / Internal / Confidential / Restricted. Don't invent five custom tiers.
Week 4 — Cadence and evidence. Decide and document how often the register is reviewed (annual at a minimum, quarterly is better), who runs the review, and how the review is recorded. Run the first one now. Build the offboarding checklist that includes "reassign or return all owned assets" and connect it to your HR process. Snapshot the register and store the snapshot somewhere immutable.
If you make it through week 4 with all six audit items demonstrably covered, you'll pass the asset-management portion of the audit. You'll also have built the muscle to keep passing — which is the harder part.
Honest scope note
ISO 27001 is bigger than asset management. A complete ISMS covers risk assessment, controls selection, policy management, internal audit, management review, incident response, supplier security, and more. If you're starting from zero, an asset register is one of perhaps twenty workstreams.
OwndUp does one of them well. If asset ownership and lifecycle is your specific gap — which it is for most teams certifying for the first time — it's the fastest fix you'll make. If your gap is the whole ISMS, you need a full ISMS platform, and OwndUp slots in alongside it rather than replacing it.
Practical takeaways
- The audit fails on accountability, not technology. Auditors check whether named people accepted ownership and reviewed it — not whether you have a clever asset-discovery agent.
- Spreadsheets aren't banned, they just fail six audit items predictably. No audit trail, no acceptance record, no review evidence, stale data, no offboarding trail, inconsistent classification.
- The six checks are: complete, owned, accepted, reviewed, returned-on-exit, classified. Score yourself against them honestly before the auditor does.
- 30 days is enough for a small or mid-size team to fix the register, if you sequence it: discovery, ownership, acceptance + classification, cadence.
- OwndUp covers A.5.9–A.5.11, not the whole ISMS. Pair it with a full ISMS tool if your scope is broader.
If your gap is specifically the asset register, start a free trial — you can import your current spreadsheet, assign owners, and have an acceptance trail in motion within an afternoon.