How to Turn an Excel Asset List Into a Compliant Register

How to Turn an Excel Asset List Into a Compliant Register

A practical ISO 27001 playbook to migrate excel asset list to compliant asset register, assign owners, preserve evidence, and validate control 5.9.

LakeRidge Team
July 17, 2026
9 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

To migrate excel asset list to compliant asset register, first establish a reliable source of truth, standardize asset records and ownership, clean and reconcile the spreadsheet data, then move approved records through a controlled cutover with evidence of review. For ISO 27001 control 5.9, the result must be a maintained inventory of information and other associated assets that identifies accountable owners—not merely a better-formatted spreadsheet.

1. What should the current-state assessment reveal?

Begin by treating the existing Excel file as evidence of the current process, not as a register that must be preserved exactly. As the compliance officer, your goal is to identify where the organization cannot currently demonstrate that its inventory is complete, owned, current, and governed. ISO 27001 Annex A control 5.9 requires that “an inventory of information and other associated assets, including owners, shall be developed and maintained.”[1]

Request every asset-related spreadsheet maintained by IT, security, finance, procurement, cloud operations, facilities, and major business units. Mid-market firms commonly have separate lists for laptops, servers, SaaS subscriptions, data repositories, network equipment, and suppliers. The gap is often not the absence of data; it is that no one can prove which list is authoritative.

  • Completeness: Compare spreadsheet rows with endpoint-management, directory, cloud, procurement, and finance records.
  • Ownership: Measure how many assets have a named business owner, technical custodian, or both.
  • Data quality: Identify blank asset IDs, duplicate serial numbers, inconsistent classifications, retired systems marked active, and generic owners such as “IT Team.”
  • Coverage: Confirm whether the list includes information assets, applications, cloud services, physical devices, virtual infrastructure, and supporting documentation.
  • Maintenance: Determine who updates the file, what events trigger updates, how changes are approved, and whether revision history exists.
  • Evidence: Check whether you can show an auditor when the inventory was last reviewed and who approved exceptions.

Create a short findings register before selecting or configuring a target platform. For example, record that Microsoft Intune identifies 846 managed endpoints while the Excel list contains 711; that 38 percent of application records lack a business owner; and that no formal process removes retired SaaS services. These are measurable migration requirements, not abstract weaknesses.

2. How do you design a target state before you migrate excel asset list to compliant asset register?

The target state should define a governed asset-register service: a system of record, a minimum data model, defined roles, lifecycle workflows, integrations, review intervals, and audit evidence. A mature configuration management database is useful, but it is not mandatory. A mid-market firm may use ServiceNow CMDB, Jira Service Management Assets, Freshservice, Lansweeper, or a controlled SharePoint List where access, approval, history, and reporting are adequately configured.

Do not design the register around every column found in Excel. Design it around decisions you must make and evidence you must produce. Every record should have a stable identifier, an asset type, a lifecycle status, and a named owner accountable for decisions about the asset. Technical support responsibility may be delegated to a custodian, but accountability should not be assigned to a mailbox or department name alone.

Required field Example value Control purpose
Asset ID APP-00427 Provides a persistent, traceable reference.
Asset type SaaS application Supports reporting and lifecycle rules by category.
Asset name HubSpot Marketing Hub Allows users and auditors to identify the asset.
Business owner Director of Marketing Demonstrates ownership required by ISO 27001 control 5.9.
Technical custodian Business Applications Manager Identifies the party maintaining the service.
Information classification Confidential Connects inventory data to handling requirements.
Lifecycle status Active Prevents retired assets from appearing operational.
Last owner review 2026-06-30 Supplies maintenance and review evidence.

Set governance rules before migration begins. For example, require quarterly owner attestations for high-risk applications and information repositories, annual attestations for standard endpoints, and approval from the security team when an asset is marked “retired” but still contains regulated information. Define a data steward—often IT asset management or security operations—to operate the process, while business owners remain accountable for their assigned assets.

3. What phased migration plan reduces compliance and operational risk?

A phased approach lets you correct data and governance failures before they become defects in the new register. The following five phases are practical for a mid-market organization and create clear milestones for your audit trail.

Phase 1: Establish scope and governance

Approve the asset taxonomy, mandatory fields, ownership definitions, review cadence, and exception process. Confirm which teams own source data and nominate decision-makers for unresolved records.

  • Milestone: The CISO, IT operations lead, and business governance sponsor approve the register standard and RACI.
  • Exit criterion: Every asset category has an accountable business owner role and a data steward.

Phase 2: Extract, profile, and map the source data

Export the Excel list in read-only form and preserve the original file with a date, owner, and checksum in your evidence repository. Profile null values, duplicates, invalid dates, obsolete categories, and inconsistent owner names. Map each valid source column to a target field; document fields that will be discarded or transformed.

  • Milestone: A signed data-mapping workbook identifies every source column and transformation rule.
  • Exit criterion: The team can explain how each target field is populated or why it remains pending remediation.

Phase 3: Clean, enrich, and reconcile records

Deduplicate using durable identifiers such as serial number, hostname, cloud resource ID, application URL, or procurement contract number. Enrich records from Microsoft Intune, Microsoft Entra ID, AWS Config, procurement records, and service desk tickets. Send ownership queues to department leaders rather than allowing IT to guess the business owner.

  • Milestone: At least 95 percent of in-scope active assets have a valid owner, status, and asset type.
  • Exit criterion: Unresolved records are formally accepted as time-bound exceptions with named remediation owners.

Phase 4: Configure and test the target register

Configure roles so that stewards can create and update records, business owners can attest to ownership, and general users have read-only access where appropriate. Enable record history, required fields, approval workflows, and export restrictions. Test imports using a non-production project or sandbox before loading the full dataset.

  • Milestone: User acceptance testing confirms required fields, audit history, reporting, and access controls.
  • Exit criterion: Test results and remediation decisions are approved by the process owner.

Phase 5: Load, attest, and retire the legacy process

Load cleansed records in controlled batches by asset type. Assign records to owners for attestation, resolve rejected assignments, and reconcile record counts against approved source totals. The legacy spreadsheet should become read-only after cutover; continuing parallel updates destroys the source-of-truth model.

  • Milestone: The compliance officer receives a signed cutover report and owner-attestation status report.
  • Exit criterion: The register is declared authoritative and the Excel update process is withdrawn.

4. What should the cutover runbook and rollback plan contain?

A cutover runbook turns a risky data move into an auditable operational change. Schedule it outside month-end financial processing or a major technology release window, and assign a named decision authority who can approve rollback.

  1. Freeze edits to the Excel asset list and save a dated, read-only archive.
  2. Export the final source file and record row counts by asset category.
  3. Run validation checks for required fields, duplicate identifiers, invalid owner accounts, and unsupported lifecycle statuses.
  4. Import records into the production register using a controlled import account.
  5. Run reconciliation reports comparing source totals, imported totals, rejected rows, and records pending owner assignment.
  6. Request owner attestations for critical assets and report exceptions to the migration sponsor.
  7. Announce the new system of record, update procedures, and remove edit access from the legacy spreadsheet.
Import settings: Jira Service Management Assets
Object type: Business Application
Unique attribute: Asset ID
Required attributes: Asset ID, Asset Name, Business Owner, Lifecycle Status
Owner validation: Match Microsoft Entra ID user principal name
Duplicate handling: Reject and write to migration-exceptions.csv
Audit setting: Retain import source and execution log for 24 months

Define rollback conditions in advance: more than 2 percent of records rejected, any loss of owner assignments for critical assets, missing audit history, unauthorized access permissions, or failed reconciliation against the approved source snapshot. If triggered, disable new record creation, restore the pre-import configuration or delete the import batch according to the platform’s documented procedure, reopen the archived spreadsheet as a temporary read-only reference, and log the incident and corrective actions. Rollback is not a return to uncontrolled spreadsheet editing; it is a controlled pause while defects are corrected.

5. How do you validate that the new register satisfies ISO 27001 control 5.9?

Post-migration validation must test both the data and the operating process. A clean initial import does not prove that the inventory will be maintained after employees buy software, deploy cloud resources, change roles, or retire devices.

  • Sample records across all asset types and confirm that the asset, owner, status, classification, and review date are accurate.
  • Reconcile endpoint totals against Intune, cloud resources against AWS Config or Azure Resource Graph, and applications against procurement and SSO records.
  • Verify that owner attestations, edits, approvals, and exceptions create immutable or retained audit history.
  • Test lifecycle events: create a new asset, transfer an owner, retire an asset, and reopen a record requiring remediation.
  • Confirm that quarterly and annual review reports identify overdue owner attestations and assets without required information.
  • Retain the migration plan, source archive, mapping, test evidence, reconciliation report, approvals, and final register extract as audit evidence.

A useful final measure is a compliance dashboard showing active assets, percentage with named owners, overdue reviews, unresolved exceptions, and reconciliation variance by source system. This allows management to see whether the organization continues to maintain the inventory, rather than treating the project as a one-time effort to convert an Excel file into a new tool.

Next step: Schedule a 60-minute asset-register discovery session with IT, procurement, security, and business-unit leaders to approve your current-state evidence and assign owners for the first remediation queue.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.