The asset inventory is the first thing any ENS or ISO 27001 auditor asks for, and it is the artefact most companies have wrong. Not from bad intent: it is usually built at the last minute, in the final month before the audit, and it shows.
This guide explains how to do it properly from day one. What is in scope, what is not, how each asset is valued, what the auditor expects to see, and where the most common audit-killing mistakes are. At the end you will find a real interactive inventory example you can open, filter and use as a template.
Why the inventory is the first deliverable
The inventory is not an administrative spreadsheet. It is the document that holds together the whole Information Security Management System. If you do not know what you have, you cannot know what you protect, what risks apply, what controls are needed, or what investment level is justified.
That is why it shows up so early in both standards:
- ENS (RD 311/2022): the inventory is a mandatory input to the system categorisation. Without a complete inventory you cannot declare whether the system is BASIC, MEDIUM or HIGH, and therefore you cannot determine which Annex II measures apply.
- ISO 27001:2022: control A.5.9: Inventory of information and other associated assets is one of the first in Annex A. It is a mandatory control that is always evaluated, even if other Annex A controls can be justified as not applicable.
When the audit kicks off, the first question is usually literal: "show me the asset inventory and tell me when it was last reviewed". What comes next depends entirely on how you answer.
What counts as an asset
An asset is anything of value to the organisation that, if lost or compromised, would affect the service or the information. The standard taxonomy in Spain (used by MAGERIT, the official methodology of the National Cryptologic Centre) splits assets into nine types:
| Type | Category | Typical examples |
|---|---|---|
| [D] | Information / Data | Customer databases, case files, medical records, backups, internal documentation. |
| [S] | Services | Public e-government portal, ERP, CRM, employee portal, public-facing web services. |
| [SW] | Software / Applications | SAP, Salesforce, custom applications, operating systems, antivirus. |
| [HW] | Hardware | Servers, corporate laptops, mobile devices, EC2 instances, NAS. |
| [COM] | Networks and communications | Dedicated lines, VPN, corporate WiFi, firewalls, load balancers. |
| [Media] | Information media | USB drives, backup tapes, paper documentation, physical archives. |
| [AUX] | Auxiliary equipment | UPS, datacentre HVAC, power generators, cabling. |
| [L] | Facilities | Offices, server rooms, datacentres, remote locations. |
| [P] | Personnel | System administrators, security officer, DPO, 24x7 support. |
Practical filter: if this disappears or gets compromised, is there someone in the organisation who actually cares? If the answer is yes, it goes into the inventory.
ENS vs ISO 27001: how the inventory differs
Both standards require an inventory, but with different angles:
ENS (RD 311/2022)
- Mandatory taxonomy: MAGERIT (the 9 types above).
- Each asset is valued across five dimensions: Confidentiality, Integrity, Traceability, Authenticity, Availability.
- Three possible levels: Low, Medium, High, plus "not applicable".
- The highest level across all assets sets the system category.
- Formally defined roles: Information Owner, Service Owner, Security Officer, System Owner.
ISO 27001:2022 (control A.5.9)
- No taxonomy is imposed. It requires a coherent inventory covering information, software, hardware, services and people.
- Typical valuation across three dimensions: Confidentiality, Integrity, Availability (CIA).
- The scale (high/medium/low or 1-5) is decided by the organisation as long as it is justified.
- Each asset must have a clearly identified, accountable owner.
If your company is going for both certifications (common when you serve both public and private sectors), do not build two inventories. Build one with the MAGERIT taxonomy and the five ENS dimensions, then for ISO 27001 take C, I and D from the same record. It saves maintenance and removes inconsistencies between documents.
Minimum fields every asset must have
What an auditor expects to see for each row of the inventory:
| Field | What it is for |
|---|---|
| Unique code | Stable identifier (e.g. INF-001, SW-014). Allows traceability when the name changes. |
| Descriptive name | How it is known internally. Must be self-explanatory without extra documentation. |
| Description | One or two sentences on what it does and why it matters. |
| MAGERIT type | D / S / SW / HW / COM / Media / AUX / L / P. |
| Owner | Person accountable for the asset. Must be a real person, not a department. |
| Custodian | Who operates or maintains it day-to-day (may or may not be the owner). |
| Location | Physical (site, datacentre) or logical (cloud provider, region, system). Crucial for GDPR if personal data is involved. |
| Valuation | Levels across security dimensions (CITAD for ENS, CIA for ISO). |
| Personal data (yes/no) | Explicit flag. If it contains PII, it must link to the GDPR Record of Processing Activities (RoPA). |
| Dependencies | Other assets it depends on. E.g. an application depends on a server, a database and a network. |
| Status | Active / Under review / Decommissioned. Decommissioned assets are not deleted, they are marked, to preserve historical traceability. |
| Last review / Next review | Dates. If the last review is two years old, you already have an audit finding. |
The two fields most often forgotten and most heavily penalised in audit are dependencies and next review date. Without dependencies, the risk analysis does not stand up. Without review dates, the inventory is a dead document.
Valuation: dimensions and levels
Valuing an asset is not handing out stars. It is answering one specific question for each dimension:
- Confidentiality: what happens if this information reaches someone who should not see it.
- Integrity: what happens if this information or system is altered without authorisation.
- Availability: what happens if we lose access, and how long can we tolerate it.
- Traceability (ENS): we need to know who did what and when.
- Authenticity (ENS): we need to guarantee the actor is who they claim to be.
ENS levels are defined by the damage an incident would cause:
LOW: limited harm to people or the organisation. Manageable without major consequences.
MEDIUM: serious harm; affects essential service functions or a significant number of people.
HIGH: very serious harm; irreparable damage, paralysis of critical services, severe sanctions.
Working rule: when in doubt between two levels, go up one and document why. Over-valuing an asset and applying more controls is far cheaper than under-valuing and getting the audit reopened.
Roles, owners and responsibilities
Every asset needs an owner. This is where most companies fail: they put "IT Department" or "Management Committee" in the owner column. Not acceptable.
The owner must be a named person who takes on:
- Deciding the level of protection the asset needs.
- Approving who has access and at what privilege level.
- Validating periodic reviews.
- Reporting significant changes to the security team.
For ENS, four formal roles must additionally be appointed in writing and approved by management:
- Information Owner: defines security requirements for the data.
- Service Owner: defines requirements for the service delivered.
- Security Officer: coordinates implementation and oversight of controls.
- System Owner: manages the technical operation of the system.
For ISO 27001 the names are less rigid, but the principle is the same: for every asset, a named individual is accountable when something happens.
Real inventory example (interactive)
We have published a complete ENS asset inventory you can open and explore. The system is fictional (AyuntaCloud Solutions S.L., a SaaS for municipalities classified as MEDIUM), but the assets, dimensions and data are built with the same structure we use in real projects.
ENS asset inventory example (interactive)
Fictional MEDIUM-category system with 26 assets covering all 9 MAGERIT types, CITAD dimensions, asset dependencies and traceability. Filter by type, owner and criticality. Export to CSV. Open it, explore it, use it as a template.
Open the example inventoryThings worth looking at as you explore:
- How assets are coded (INF-, SVC-, SW-, HW-, COM-).
- How dependencies render when you open a service.
- The CITAD dimensions valued with H/M/L per asset.
- The retention field and its link to personal data.
- The security committee roles block at the bottom.
If your organisation has a similar structure, you can use this format as a template. If you need a tailored one, we build it with you as part of the implementation plan.
How to get it audit-ready
What an auditor will do once they sit down with your inventory:
- Verify it is approved by management with a recent date. No signature or no valid review date already creates a non-conformity.
- Pick three or four assets at random and trace them. They will usually pick a critical one (HIGH category or with personal data) and ask to see the RoPA, access logs, backups and associated procedures. If they do not match the inventory, finding logged.
- Check dependencies. If an application says it depends on a server that is no longer in the inventory, or marked as decommissioned, that is a maintenance failure.
- Cross-check the inventory with the risk analysis. Each risk in the analysis must be linked to one or more inventory assets. Risks without assets, or critical assets without associated risks, mean a broken ISMS.
- Validate owners. Sometimes they ask directly: "who is the owner of this asset?" and then talk to that person. If the person does not know they are the owner, bad news.
Getting through this part well is about maintenance, not last-minute heroics. A 30-minute quarterly review where owners look at their assets and confirm they are still valid avoids 90% of audit findings.
Mistakes that fail the audit
The five we see most often:
- Inventory without real owners. Columns with "IT" or "Systems" instead of named people.
- Cloud assets with no region specified. If you have personal data on AWS and do not document the region, GDPR and ENS will both complain.
- No personnel-type assets [P]. Forgetting that privileged administrators are inventoried assets.
- No dependencies. Applications floating in mid-air with no associated servers or networks. Impossible to do a serious impact analysis.
- No decommissioning process. When a system is dismantled, it just disappears from the spreadsheet. No trail and no validation that associated data was wiped properly.
Quick rule: if your inventory has not been updated in the last 3 months, it is not alive. And if it is not alive, the auditor sees it within 10 minutes.
Frequently asked questions
Is an asset inventory mandatory for ENS and ISO 27001?
Yes. ENS requires it under RD 311/2022 as input to system categorisation. ISO 27001:2022 lists it as control A.5.9, which is mandatory. No up-to-date approved inventory, no certificate.
How often should it be reviewed?
Full review at least annually, plus an incremental review every 6 months for critical assets. Any addition, removal or major change (migration, new vendor, owner change) is reflected as it happens.
Is a spreadsheet good enough?
Technically yes. The problem is not the audit, it is maintenance: nobody updates it, no version control, dependencies are invisible. Workable up to 30-50 assets. From 80-100 onwards, a dedicated tool or GRC pays for itself.
What is the difference between ENS and ISO 27001 inventories?
ENS uses MAGERIT (9 types) and five dimensions (CITAD). ISO 27001 imposes no taxonomy and usually values across three dimensions (CIA). A well-built MAGERIT inventory covers both frameworks with no duplicated work.
Should the inventory include people as assets?
In MAGERIT (and therefore ENS), yes: type [P] Personnel is one of the nine types. It is not about inventorying employees as payroll records; it is about identifying critical roles whose loss or replacement would impact the system.
Your team needs secure AI training
The EU AI Act requires AI literacy for all staff from August 2026. Our courses cover compliance, AI agents and governance. FUNDAE can subsidise 100% of the cost.