Asset Management Policy for SaaS: ISO 27001 A.5.9, CIS Control 1, and the Cloud Asset Problem (2026)

The asset visibility problem

The first CIS Critical Security Control is “Inventory and Control of Enterprise Assets.” It’s first for a reason: every other control depends on it. You can’t patch what you don’t know exists. You can’t apply access controls to a database nobody catalogued. You can’t respond to a breach involving a server you forgot you had.

For modern SaaS, the problem is harder than 2010 “here’s our server list” asset management. Three things broke it:

• Cloud elasticity. Auto-scaling groups spawn and kill instances. Containers live for minutes. Serverless functions don’t “exist” in the traditional sense.
• SaaS sprawl. Every team buys a SaaS tool with a credit card. The CISO finds out at renewal time — or after a breach.
• Forgotten assets. API keys committed to repos. Certificates issued and forgotten. SSH keys from employees who left 18 months ago.

Compliance requirements for asset management

Framework	Control	Requirement
ISO 27001	A.5.9 — Inventory of Information and Other Associated Assets	Inventory of assets with owners; reviewed and maintained
ISO 27001	A.5.10 — Acceptable Use	Rules for acceptable use of assets, communicated and acknowledged
ISO 27001	A.5.11 — Return of Assets	Assets returned on employment termination or contract change
ISO 27001	A.8.1 — User Endpoint Devices	Endpoint information protected; baseline configuration applied
SOC 2	CC6.1 — Logical Access Security	Logical access tied to identified assets and authorised users
CIS Controls v8	Control 1 — Inventory and Control of Enterprise Assets	Accurate, detailed, up-to-date asset inventory; automated where possible
CIS Controls v8	Control 2 — Inventory and Control of Software Assets	Software inventory; allowlist; unauthorised software detected and removed
PCI DSS v4.0	Req 12.3 — Hardware and Software Assets Managed	Inventory of in-scope assets maintained, reviewed at least every 12 months
NIST SP 800-171	3.4 — Configuration Management	Baseline configurations and inventories established and maintained
HIPAA	§164.310(d) — Device and Media Controls	Policies for receipt, removal, re-use, and disposal of devices and media containing ePHI

What counts as an “asset” — most teams miss half of these

Asset management documents typically cover laptops and servers. That misses the assets that actually cause breaches:

• Hardware: laptops, desktops, servers, networking equipment, mobile devices.
• Cloud infrastructure: VMs, containers, databases, load balancers, storage buckets, queues, functions.
• Software & SaaS: installed apps, SaaS subscriptions, browser extensions, CLI tools.
• Code repositories & IP: source code, build artefacts, container images, model weights.
• Data assets: databases, file stores, backups, exports, archived data.
• Secrets: API keys, OAuth tokens, certificates, SSH keys, signing keys, database credentials.
• Third-party assets: vendor-managed assets that hold your data.

If your inventory has 100 hardware entries and 0 secrets entries, you have an asset management problem, not an asset management policy.

Hardware asset management: still matters

Even in a remote-first SaaS, hardware is the most concrete asset class:

• MDM (Mobile Device Management) enrollment before the device leaves the office or is shipped. Kandji, Jamf, Microsoft Intune, JumpCloud.
• Asset tag at receipt; matched to the user via the IdP.
• Full-disk encryption on issue; verified by MDM compliance check.
• Decommissioning workflow: NIST 800-88 wipe → asset record updated → disposal certificate stored.
• Offboarding checklist that includes physical return tracking. ISO 27001 A.5.11 requires you to evidence the return.

Software asset management: the EOL problem

Log4Shell taught the industry an expensive lesson: “we didn’t know we were using it” isn’t a defence. CIS Control 2 says: software inventory, allowlist, unauthorised software detected and removed.

For SaaS engineering teams:

• SBOM (Software Bill of Materials) per release for the application stack. Most CI tools can generate this automatically.
• Dependency scanning (Dependabot, Renovate, Snyk) with policy on EOL libraries.
• Approved software allowlist for endpoint installations — enforced via MDM or EDR.
• SaaS application inventory: SSO-discovered apps + expense-report review + browser extension audit. Shadow SaaS is rampant.
• EOL software prohibition with a 6-month-before-EOL replacement plan.

The cloud asset problem — and how to fix it

Manual cloud inventories fail within weeks. Auto-scaling, ephemeral containers, and developer-driven provisioning create assets faster than humans can record them. The solution is automation plus a tagging policy.

Mandatory cloud resource tagging policy:

Tag	Required Value	Purpose
environment	prod / staging / dev	Blast-radius scoping, control selection
owner	team email or Slack channel	Accountability and on-call routing
data-classification	public / internal / confidential / restricted	Drives encryption, monitoring, access controls
project	project code	Cost allocation and scoping
cost-centre	finance code	Chargeback / showback

Enforcement: AWS Config rules / GCP Organization Policy / Azure Policy block creation of untagged production resources. CSPM tools (Wiz, Orca, Prisma Cloud, AWS Security Hub) flag drift. Untagged resources get a 7-day remediation SLA, then auto-terminate in non-production and Security review in production.

Infrastructure as Code is the only sustainable answer. If production resources can be created by clicking around the console, your asset inventory will always be wrong. Mandate Terraform / CDK / Pulumi for production; allow click-ops only in dev sandboxes with auto-cleanup.

Secrets are assets too — and they’re the forgotten class

Most asset policies don’t mention API keys, certificates, or SSH keys. Breach reports do. The 2024 Snowflake-customer incidents were credential-driven. The classic GitHub-leaked-AWS-key pattern still works. Secrets are assets:

• Secrets manager mandatory for production. AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, Doppler. Not env files in CI.
• Pre-commit scanning (gitleaks, trufflehog) and CI scanning to prevent hardcoded secrets from being merged.
• Certificate inventory with expiry monitoring. Outage from an expired cert is embarrassing; outage from a non-inventoried internal CA cert is preventable.
• SSH key rotation. Annual rotation or on departure. Forgotten keys from ex-employees on production servers are a recurring finding.
• API key rotation policy. Different cadences per key type — service accounts (90 days, automated), user PATs (annual or on departure), signing keys (per cryptography policy).

Asset disposal — the NIST 800-88 standard

Disposal is where asset management intersects with GDPR Art. 17 (right to erasure) and HIPAA Device & Media Controls. NIST SP 800-88 Rev. 1 is the standard:

Method	When to use	Verification
Clear (overwrite)	Reuse within control — lower sensitivity	Tool output
Purge (cryptographic erase / degauss)	Retirement of media with sensitive data — most retirements	Tool output + verification scan
Destroy (shred / pulverise / incinerate)	Highly sensitive media; non-rewritable media	Certificate of destruction

For cloud resources, deletion must be confirmed (terminated instance + volume deleted + snapshot deleted). For physical media, a disposal certificate — with asset ID, method, date, and signatures — is your audit evidence. Keep certificates for the same retention period as the data they held.

PCI DSS Req 9.8 requires cardholder data to be rendered unrecoverable when no longer needed, with documented and verified procedures. GDPR Art. 17 doesn’t prescribe a method but requires that erasure is effective — your disposal procedure is the evidence.

The minimum viable asset management policy (8 items)

1. Inventory tool selected for each asset class (hardware via MDM, cloud via Config/Asset Inventory, software via SBOM, secrets via secrets manager).
2. Mandatory fields documented (ID, type, owner, custodian, classification, location, status).
3. Cloud resource tagging policy with enforcement and untagged-resource SLA.
4. SaaS application inventory — SSO discovery + expense report review at least quarterly.
5. Secrets management tool mandated; no hardcoded credentials policy with CI enforcement.
6. Onboarding adds assets; offboarding returns and revokes them. Both checklists exist and are followed.
7. Quarterly reconciliation of automated inventory vs documented inventory; discrepancies investigated.
8. NIST 800-88 disposal procedure with disposal certificate retention.

What good looks like at audit

A clean asset management audit involves:

• The asset management policy, board-approved with current version date.
• A current asset inventory export, with quarterly reconciliation evidence.
• Cloud tagging compliance dashboard showing >95% tag coverage.
• Sample disposal certificates for recent decommissioned assets.
• Offboarding records showing asset return and credential revocation.
• Software allowlist evidence and EOL exception register.

Generate your asset management stack: Asset Management Policy Generator, Data Classification Policy, Vulnerability Management Policy, Information Security Policy, IT & BYOD Policy.

Related reading: Data Classification Policy Guide, Vulnerability Management Policy Guide, ISO 27001 Annex A Guide, IT & BYOD Policy Guide.

⚠️ This guide is for informational purposes only and does not constitute legal or security advice. Asset management requirements depend on your specific risk profile and regulatory scope. Consult a qualified security professional for implementation guidance.