Are you ready for an ISO/IEC 19770-1 audit?
Managing IT assets well is now a business imperative. To further its better risk management, compliance, and control over expenditure, ISO/IEC 19770-1 provides a worldwide accepted framework for IT Asset Management (ITAM). Many times, the most well-prepared of organizations breach common audit failures during an ISO/IEC 197701 certification phase or surveillance-audit phase.
To help businesses navigate through this challenge, we held interviews with more than 100 experienced ISO/IEC 19770-1 Lead Auditors and spent equal hours analyzing real-life audit reports. The result? A practical guide that outlines the major failures encountered during an ISO/IEC 19770-1 audit and strategies for avoiding them.
This article will equip you with knowledge of common pitfalls organizations encounter and the necessary actions for real results, whether you are preparing for your ISO/IEC 19770-1 audit, pursuing the Certified ISO/IEC 19770-1 Lead Auditor certification, or simply trying to improve your current ITAM system.
ISO/IEC 19770-1 compliance is not considered only successful audit clearance anymore: it is about implementing a culture of IT Asset Management (ITAM) characterized by discipline, transparency, and risk awareness throughout your organization.
It improves the visibility of the assets, ensures software license management, mitigates risks, and improves operational efficiency. Compliance or failing an audit can lead to penalties, costs, or delays in certification.
In this blog post, we will look at the common ISO/IEC 19770-1 audit failure situations with some practical remedies, as drawn from the verdicts of auditors and specialists.
By identifying these situations early and correcting them, your organization will ease and expedite the audit process and incur less risk.
📌 Clause: 5.1 – Leadership and Commitment
What’s Going Wrong:
Many organizations manage their assets informally without a formal policy that outlines governance, objectives, and responsibilities.
Why It Matters During an Audit:
ISO/IEC 19770-1 requires a documented policy to ensure consistency and governance across asset management practices.
How to Fix It:
✔ Draft and communicate a formal ITAM policy
✔ Define roles, objectives, and performance expectations
✔ Ensure top management signs off and supports the policy
Real-World Result:
A clear ITAM policy provides a foundation for audit scope and ensures everyone is aligned with organizational goals.
📌 Clause: 5.3 – Organizational Roles, Responsibilities, and Authorities
What’s Going Wrong:
ITAM roles are often ambiguous, and multiple teams share responsibilities without clear ownership.
Why It Matters During an Audit:
Auditors require defined roles to assess accountability. Without clarity, asset management is often ineffective.
How to Fix It:
✔ Assign clear ownership for asset lifecycle stages
✔ Use a RACI matrix to define roles and responsibilities
✔ Regularly review and update as teams evolve
Real-World Result:
Clear role definitions enhance accountability and improve asset control across departments.
📌 Clause: 8.1 – Planning and Control of Asset Management Processes
What’s Going Wrong:
Incomplete or outdated asset records are common, leading to discrepancies between physical assets and the inventory.
Why It Matters During an Audit:
ISO/IEC 19770-1 requires a comprehensive and up-to-date asset inventory for audit accuracy.
How to Fix It:
✔ Implement an automated asset discovery tool
✔ Conduct quarterly physical audits
✔ Regularly reconcile asset records against actual inventory
Real-World Result:
Accurate and complete inventory records provide transparency and reduce audit risk.
📌 Clause: 8.2 – Lifecycle Processes
What’s Going Wrong:
Procurement and ITAM systems operate separately, leading to missing or inconsistent asset records.
Why It Matters During an Audit:
ISO/IEC 19770-1 mandates integration to ensure assets are accurately tracked from purchase to disposal.
How to Fix It:
✔ Integrate procurement and ITAM systems for real-time updates
✔ Use automated tools to sync asset data across platforms
✔ Ensure all new assets are recorded in both systems upon purchase
Real-World Result:
Seamless data flow between systems reduces errors and provides a unified view of assets.
📌 Clause: 8.3 – Software Asset Management
What’s Going Wrong:
Software licenses are not tracked or monitored, leading to over-usage or non-compliance.
Why It Matters During an Audit:
ISO/IEC 19770-1 expects proper license management to mitigate risks and avoid vendor disputes.
How to Fix It:
✔ Implement software metering tools to track usage
✔ Perform quarterly software license audits
✔ Regularly reconcile software installations with entitlements
Real-World Result:
Enhanced license compliance and cost control, preventing unnecessary software penalties.
📌 Clause: 8.2 – Lifecycle Processes
What’s Going Wrong:
Assets are not properly tracked through their lifecycle, from acquisition to disposal, leading to missed opportunities for optimization.
Why It Matters During an Audit:
ISO/IEC 19770-1 requires all assets to be fully managed throughout their lifecycle to minimize risk and cost.
How to Fix It:
✔ Define and implement a comprehensive asset lifecycle policy
✔ Track all asset stages (e.g., acquisition, maintenance, disposal)
✔ Ensure proper asset disposal and data destruction procedures
Real-World Result:
Reduced costs, fewer security risks, and improved compliance with asset disposal regulations.
📌 Clause: 8.3 – Software License Management
What’s Going Wrong:
Software usage is not monitored or reported, leading to potential violations of licensing agreements.
Why It Matters During an Audit:
ISO/IEC 19770-1 requires detailed usage monitoring to ensure that organizations are not violating license agreements.
How to Fix It:
✔ Implement software tracking tools to monitor usage patterns
✔ Set up alerts for license breaches or overuse
✔ Regularly reconcile usage data with software entitlements
Real-World Result:
Minimized software audit risks and better resource allocation.
📌 Clause: 6.1 – Risk and Opportunity Management
What’s Going Wrong:
IT assets are not adequately secured, either physically or digitally, exposing the organization to security breaches.
Why It Matters During an Audit:
ISO/IEC 19770-1 expects asset security to be a priority, especially for critical assets and sensitive data.
How to Fix It:
✔ Implement strong security measures for all physical and digital assets
✔ Regularly audit access controls and track asset movements
✔ Encrypt sensitive data on all assets
Real-World Result:
Stronger protection of critical assets and reduced risk of data breaches.
📌 Clause: 8.2.6 – Disposal and Retirement
What’s Going Wrong:
Assets are disposed of without documented processes, leading to data loss or non-compliance with regulatory requirements.
Why It Matters During an Audit:
ISO/IEC 19770-1 requires secure, documented asset retirement and disposal procedures to ensure data protection.
How to Fix It:
✔ Establish formal asset disposal policies and procedures
✔ Use certified vendors for asset destruction and data wiping
✔ Maintain records of all disposals and certifications
Real-World Result:
Reduced risk of data exposure and compliance with regulatory standards.
📌 Clause: 9.2 – Internal Audit
What’s Going Wrong:
There is no periodic internal review or audit of the ITAM system, leading to missed compliance gaps or inefficiencies.
Why It Matters During an Audit:
ISO/IEC 19770-1 expects ongoing monitoring and internal audits to ensure continuous compliance and improvement.
How to Fix It:
✔ Conduct regular internal audits of the ITAM system
✔ Review audit results with relevant teams and take corrective actions
✔ Schedule audits as part of an ongoing continuous improvement plan
Real-World Result:
Proactive issue resolution and strengthened audit preparedness.
ISO/IEC 19770-1 compliance is more than an audit pass or fail; it is about the application of successful, efficient, and secure IT Asset Management (ITAM) practices throughout the organization.
By confronting the top 10 ISO/IEC 19770-1 audit failures and implementing their cures, you will not only maintain readiness for audits but also improve your asset management system, reduce costs, and alleviate risks.
Now that you know how to handle an ISO/IEC 19770-1 Lead Auditor audit, it is time to look at these actionable insights and set the organization on the pathway to audit success.
Stay up-to-date with the latest news, trends, and resources in GSDC
If you like this read then make sure to check out our previous blogs: Cracking Onboarding Challenges: Fresher Success Unveiled
Not sure which certification to pursue? Our advisors will help you decide!