# ISO 27001 Asset Inventory & Classification Register > Build and validate an Asset Inventory & Classification Register for ISO 27001:2022 Control A.5.9. Catalog information assets with Ownership and Classification (Public, Internal, Confidential, Restricted), suggest classification from sensitivity descriptions, and verify that every asset has a named Information Owner and that Confidential/Restricted assets have handling procedures. Tags: ISO 27001, ISMS, Compliance, Asset Management, Classification, A.5.9 ## Example Prompts - Create an Asset Inventory & Classification Register for our ISMS scope - Suggest a classification level for our customer database (PII and payment data) - Validate our asset register: every asset has an owner and Confidential assets have handling procedures - Update our information asset register with new systems and assign Information Owners - Cross-reference our asset register with the ISMS scope to check for gaps URL: https://rakenne.app/skills/iso27001-asset-inventory/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-asset-inventory ## Overview Build and validate an Asset Inventory & Classification Register for ISO 27001:2022 Control A.5.9. Catalog information assets with Ownership and Classification (Public, Internal, Confidential, Restricted), suggest classification from sensitivity descriptions, and verify that every asset has a named Information Owner and that Confidential/Restricted assets have handling procedures. Auditors expect a *living* register that reflects operational state and clear accountability. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ## Example Conversation > **You:** We need an Asset Inventory & Classification Register for our ISMS. We have the CRM (customer PII and payment data), internal project wiki, public marketing site, and the contracts repository. I'm not sure how to classify the contracts repo. > **Agent:** I'll use the template and add rows for each asset. For the contracts repository I'll run `asset_labeling_assistant` with a sensitivity description to suggest a level. > **Agent:** Running `asset_labeling_assistant` with description "Contract repository: NDAs, commercial terms, customer and vendor contracts"... > **Agent:** Suggested classification: **Confidential**. Rationale: Sensitive business or personal data; access restricted and handling procedure required. I've added the four assets to the register. CRM and contracts are Confidential; I've set Information Owners and referenced the Information Handling Policy §4.2 for both. Run `owner_accountability_check` when you're ready to validate. > **You:** Run the owner check on the register. > **Agent:** Running `owner_accountability_check` on the register... > **Agent:** RESULT: **PASS** — Every asset has an Information Owner; Confidential/Restricted assets have a handling procedure. The register is ready for review. ## What the Tools Validate The skill includes two extension tools: **`asset_labeling_assistant`** suggests a classification level from a short data-sensitivity description: - Accepts a free-text description (e.g. "Customer PII and payment details", "Internal project roadmap") - Uses keyword-based rules aligned with common schemes: Public, Internal, Confidential, Restricted - Returns the suggested level and a brief rationale (e.g. PII/financial → Confidential; trade secrets/credentials → Restricted) - Use when drafting or reviewing asset entries so classification is consistent and defensible **`owner_accountability_check`** validates the register file so it meets A.5.9 and auditor expectations: - Parses the register (Markdown table with columns such as Asset, Information Owner, Classification, Handling procedure) - **Information Owner**: Every asset row must have a non-empty Information Owner (no "TBD" or blank) - **Handling procedure**: Every asset classified Confidential or Restricted must have an associated handling procedure (or reference to a policy section) - Reports **PASS** when both conditions hold for all rows; **FAIL** with a list of errors (missing owner, or Confidential/Restricted without handling) - Run after building or updating the register, and before audit or management review ## Output Excerpt A condensed excerpt from a generated Asset Inventory & Classification Register: ```markdown | Asset | Type | Information Owner | Classification | Handling procedure | |-------|------|-------------------|----------------|--------------------| | Customer database (CRM) | Database | Head of Sales | Confidential | IHP §4.2 – Customer data | | Contracts repository | Application | Legal Counsel | Confidential | IHP §4.3 – Contracts & NDAs | | Internal project wiki | Application | Head of Engineering | Internal | N/A | | Public marketing website | Application | Head of Marketing | Public | N/A | ``` - **Public** / **Internal**: Handling procedure can be N/A. - **Confidential** / **Restricted**: A handling procedure (e.g. IHP §4.2) is required; `owner_accountability_check` will flag any missing entry. ## Getting Started Add your source materials (e.g. existing asset lists, system inventory, handling policy references) to the project workspace, then activate the *ISO 27001 Asset Inventory & Classification Register* skill. The agent will guide you through cataloguing assets, assigning owners and classifications (using the labelling assistant where needed), and validating the register with the owner accountability check. --- Back to [Skill Library](https://rakenne.app/skills/index.md)