ISO 27001 is a robust framework for managing information security. It provides requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard not only optimises security practices but also helps organisations to manage the security of assets such as financial information, intellectual property, employee details, and third-party information.
Definition of Assets in ISO 27001
It is important to note that ISO 27001 does not include a specific definition of assets.
However, in the context of ISO 27001, 'assets' are really anything that have value to the organisation and are essential for performing business activities.
ISO 27001 recognises that the protection of these assets, through the implementation of appropriate security controls, is critical to the integrity and security of corporate information.
Examples of Different Types of Assets
Information Assets
These are the primary focus of ISO 27001 and include both electronic and physical information. Examples include:
Databases and data files
Contracts and business plans
Intellectual property
Customer data
Employee data
Company policies and procedures
Physical Assets
These are tangible items that require physical security measures. Examples include:
Computers
Servers
Mobile devices (phones and tablets)
Network devices (routers, switches, and so on)
Printing devices and scanners
Security systems (CCTV, biometrics, and so on)
Office equipment and furniture
Software Assets
These are critical for maintaining the IT infrastructure and supporting business processes. Examples include:
Operating systems and applications
System management tools
Development tools
Backup and encryption software
Services
Often overlooked, these are also assets and include both internal and external services critical to business operations. Examples include:
Cloud services (IaaS, PaaS, SaaS)
Communications (telephony, email service)
Outsourced services (IT support, security monitoring)
People
Employees or staff who interact with information systems are considered assets because their knowledge and behaviour can significantly impact information security.