Asset Management is a central aspect of an ISO 27001 Information Security Management System (ISMS). Effective asset management ensures that the confidentiality, integrity and availability of assets are maintained to support the overall business objectives and security posture of the organisation.
Defining Asset Management in ISO 27001
Asset Management according to ISO 27001 involves the systematic process of developing, operating, maintaining, upgrading and disposing of assets while protecting the information within the organisation. The standard requires assets to be appropriately protected to prevent financial loss, harm to the organisation's reputation, and legal consequences.
Key Elements of Asset Management
Although ISO 27001 does not have a formal definition for asset management, it has three specific controls in its Annex A to ensure proper asset management. These are outlined below.
Asset Inventory
A.5.9 – Inventory of information and other associated assets: all information and related assets need to be identified and have an owner responsible for protecting the confidentiality, integrity, and availability of the information.
An asset inventory acts as the foundation of an effective Asset Management process. ISO 27001 requires organisations to maintain a comprehensive inventory of all assets within the scope of the ISMS. Each listed asset should include details such as:
Description and location
Ownership details
Classification information
Asset ownership
Clear asset ownership must be defined for each asset. This means assigning a responsible person who will be accountable for the asset's information security. The owner is responsible for defining, applying, and maintaining the necessary security controls.
Once properly completed, your de.iterate Asset Register satisfies this control.
Asset Classification
Assets need to be classified based on their importance and sensitivity in terms of confidentiality, integrity, and availability. The classification guides how assets are used, handled and protected. Common classifications include:
Public
Internal use only
Sensitive
Confidential
Once properly completed, your de.iterate Asset Register satisfies this control.
Acceptable Use of Assets
A.5.10 – Acceptable use of information and other associated assets: rules for proper use of assets need to be defined, documented, and implemented.
ISO 27001 requires defining rules for the acceptable use of assets. These rules should be communicated to all employees and users to minimise the risk of asset misuse. This involves specifying what is allowed and what is prohibited with each asset to safeguard the asset's security.
Once properly completed, your de.iterate Asset Register satisfies this control.
Return of Assets
Procedures must be established for the return of assets when they are no longer required or when an employee leaves the organisation. This helps in maintaining the asset’s security and ensures that they are appropriately decommissioned or reallocated.
Implementing Asset Management
Implementing asset management under ISO 27001 involves several steps, all of which are taken care of via the correct and regular use of the de.iterate platform:
Asset Identification and Classification: Identify all assets and classify them according to their sensitivity and importance to the business operations.
Assigning Responsibilities: Define clear roles and responsibilities for asset management, including assigning asset owners.
Developing an Asset Management Policy: Draft and implement policies that outline standards for purchasing, handling, and disposing of assets.
Regular Audits and Reviews: Conduct regular audits and reviews to ensure compliance with the asset management policy and to update the asset inventory as required.