Defining asset ownership is crucial for effective information security management and ISO 27001 certification. The asset owner is responsible for ensuring that adequate security measures are in place and is accountable for managing the asset's confidentiality, integrity and availability.
This article explores the criteria for assigning asset owners and the responsibilities they hold within an ISO 27001 compliant Information Security Management System (ISMS).
Defining Asset Ownership
Asset ownership is a key principle in ISO 27001 that involves designating a person who has organisational authority over specific information assets.
The asset owner is typically someone who is capable of making informed decisions about the asset’s security controls and is responsible for implementing those controls.
Criteria for Selecting an Asset Owner
Understanding of the Asset: The owner must have a thorough understanding of the asset’s purpose, nature, and the environment in which it is processed, stored, and transmitted.
Position of Authority: The owner should be in a position of authority sufficient to enforce security policies and procedures pertaining to the asset.
Knowledge of Security Practices: They must be knowledgeable about the ISO 27001 standard and competent in managing the security aspects of the asset, including risk assessment and mitigating controls.
Decision-Making Capability: The owner must have the authority and ability to make decisions regarding the security and handling of the asset.
Access to the Asset: Ideally, the owner should have direct access to the asset and its related information to manage it effectively.
Who Should Be the Asset Owner?
The role of an asset owner is not limited to IT personnel; it encompasses a wide range of potential candidates across the organisation:
IT Manager/Systems Administrator: For IT systems, networks, and software, the IT Manager or a specific Systems Administrator is usually the best choice as they have technical control and understanding of the systems.
Human Resources Manager: For employee data or personal information assets, the HR Manager is typically the owner, given their responsibility for handling employee information.
Finance Manager: For financial data, including transaction records and financial reporting systems, the Finance Manager should be the owner.
Legal Counsel: For assets that involve sensitive legal information or intellectual property, an organisation's legal counsel should be designated as the asset owner.
Operations Manager: For physical assets and operational data, such as manufacturing systems, inventory, and supply chain information, the Operations Manager is often suitable.
Marketing Manager: For customer databases and marketing plans, the Marketing Manager usually takes ownership, as these assets are used primarily for marketing strategies.
Responsibilities of the Asset Owner
Risk Assessment: Conduct regular risk assessments to identify vulnerabilities and threats to the assets.
Security Controls: Implement appropriate security controls based on the risk assessment and monitor their effectiveness.
Policy Development: Develop and maintain policies for the proper management, use, and protection of the assets.
Incident Management: Handle security incidents and breaches involving the assets and take corrective actions.
Compliance: Ensure the asset complies with legal, regulatory, and contractual requirements.
Information Classification: Classify information in accordance with the organisation's classification scheme to determine the level of controls that are required.