Browse Skills

ISO 27001 Asset Inventory & Classification Register

    Compliance Security ISO 27001 ISMS Asset management
    Get Started with This Skill

    Overview

    Build and validate an Asset Inventory & Classification Register for ISO 27001:2022 Control A.5.9. Catalog information assets with Ownership and Classification (Public, Internal, Confidential, Restricted), suggest classification from sensitivity descriptions, and verify that every asset has a named Information Owner and that Confidential/Restricted assets have handling procedures. Auditors expect a living register that reflects operational state and clear accountability.

    Example Conversation

    You: We need an Asset Inventory & Classification Register for our ISMS. We have the CRM (customer PII and payment data), internal project wiki, public marketing site, and the contracts repository. I’m not sure how to classify the contracts repo.

    Agent: I’ll use the template and add rows for each asset. For the contracts repository I’ll run asset_labeling_assistant with a sensitivity description to suggest a level.

    Agent: Running asset_labeling_assistant with description “Contract repository: NDAs, commercial terms, customer and vendor contracts”…

    Agent: Suggested classification: Confidential. Rationale: Sensitive business or personal data; access restricted and handling procedure required. I’ve added the four assets to the register. CRM and contracts are Confidential; I’ve set Information Owners and referenced the Information Handling Policy §4.2 for both. Run owner_accountability_check when you’re ready to validate.

    You: Run the owner check on the register.

    Agent: Running owner_accountability_check on the register…

    Agent: RESULT: PASS — Every asset has an Information Owner; Confidential/Restricted assets have a handling procedure. The register is ready for review.

    What the Tools Validate

    The skill includes two extension tools:

    asset_labeling_assistant suggests a classification level from a short data-sensitivity description:

    • Accepts a free-text description (e.g. “Customer PII and payment details”, “Internal project roadmap”)
    • Uses keyword-based rules aligned with common schemes: Public, Internal, Confidential, Restricted
    • Returns the suggested level and a brief rationale (e.g. PII/financial → Confidential; trade secrets/credentials → Restricted)
    • Use when drafting or reviewing asset entries so classification is consistent and defensible

    owner_accountability_check validates the register file so it meets A.5.9 and auditor expectations:

    • Parses the register (Markdown table with columns such as Asset, Information Owner, Classification, Handling procedure)
    • Information Owner: Every asset row must have a non-empty Information Owner (no “TBD” or blank)
    • Handling procedure: Every asset classified Confidential or Restricted must have an associated handling procedure (or reference to a policy section)
    • Reports PASS when both conditions hold for all rows; FAIL with a list of errors (missing owner, or Confidential/Restricted without handling)
    • Run after building or updating the register, and before audit or management review

    Output Excerpt

    A condensed excerpt from a generated Asset Inventory & Classification Register:

    | Asset | Type | Information Owner | Classification | Handling procedure |
|-------|------|-------------------|----------------|--------------------|
| Customer database (CRM) | Database | Head of Sales | Confidential | IHP §4.2 – Customer data |
| Contracts repository | Application | Legal Counsel | Confidential | IHP §4.3 – Contracts & NDAs |
| Internal project wiki | Application | Head of Engineering | Internal | N/A |
| Public marketing website | Application | Head of Marketing | Public | N/A |
    • Public / Internal: Handling procedure can be N/A.
    • Confidential / Restricted: A handling procedure (e.g. IHP §4.2) is required; owner_accountability_check will flag any missing entry.

    Getting Started

    Add your source materials (e.g. existing asset lists, system inventory, handling policy references) to the project workspace, then activate the ISO 27001 Asset Inventory & Classification Register skill. The agent will guide you through cataloguing assets, assigning owners and classifications (using the labelling assistant where needed), and validating the register with the owner accountability check.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started