PolicyForge
All posts
5 min

How to write an asset management policy

An asset management policy keeps an accurate inventory of what you own and protect. Here is what to include — inventory, ownership, lifecycle — with a free template.

Why the inventory comes first

You cannot protect what you do not know you have. An asset management policy defines how you identify, own and track information assets — hardware, software, data and cloud services — across their lifecycle. It underpins almost every other control, which is why auditors start here.

What to include

  1. Scope — asset types covered (devices, servers, SaaS, data stores, cloud resources).
  2. Inventory — a maintained register with key attributes (owner, location, classification, criticality).
  3. Ownership — every asset has a named owner accountable for its protection.
  4. Lifecycle — acquisition, deployment, maintenance, and secure disposal/wiping.
  5. Acceptable use — link to your acceptable use policy.
  6. Return of assets — recovery on offboarding.
  7. Review — periodic reconciliation of the inventory against reality.

Common mistakes

  • A one-off inventory that is never updated.
  • Assets with no owner, so no one is accountable.
  • Forgetting SaaS and cloud resources, which now dominate the estate.

Framework alignment

Maps to ISO 27001:2022 Annex A 5.9–5.11 (inventory, ownership, return of assets), the SOC 2 criteria, and NIST CSF Identify (ID.AM).

Generate it in minutes

See a sample asset management policy or generate yours free.