Creating a comprehensive asset register is a foundational step in implementing an Information Security Management System (ISMS) compliant with ISO 27001. This register not only aids in identifying and managing risks but also supports the overall security processes of the organisation.
For those beginning their ISO 27001 journey, compiling a detailed asset register can be daunting. This article provides practical guidance on how to do this as efficiently as possible.
Step-by-Step Guide to Building an Asset Inventory
1. Understand the Importance of an Asset Register
An asset register serves as the cornerstone of your ISMS, capturing all items that hold value to your organisation and are therefore potential targets for security threats. It includes not just IT equipment and information, but also other resources critical to your operations. If you haven't already, take a look at our other articles:
2. Conduct Interviews with Department Heads
The most efficient way to gather comprehensive asset details is through interviews with each department head. Use the “describe-what-you-see” technique:
Software: Ask them to list all the software systems and applications installed on their computers.
Personnel: Include all individuals working under the department.
Equipment: List all physical assets present in their office spaces, like computers, printers, and other peripherals.
3. Consolidate Existing Registers
Avoid redundancy by integrating any existing asset lists (like fixed asset registers or software licenses logs) into your de.iterate Asset Register. This not only saves time but also ensures consistency in asset data across the organisation.
4. Details to Include in the Asset Register
ISO 27001 does not specify the exact details to list, giving organisations the flexibility to adapt the inventory to their needs. Essential elements include:
Asset Name and Description
Asset Owner
Classification
Location
Associated Risks
Protective Controls
Additional details might include notes on the asset’s condition, related legal issues, or specific handling requirements.
All these fields are laid out in the de.iterate platform. Simply fill in the form for each asset.
5. Assign an Owner to Each Asset
Defining asset ownership is crucial for effective information security management and ISO 27001 certification. The asset owner is responsible for ensuring that adequate security measures are in place and is accountable for managing the asset's confidentiality, integrity and availability.
If you haven't already, read our article: Who Should Be the Asset Owner According to ISO 27001?
6. Assign Responsibility for the Asset Register
Typically, the person leading the ISO 27001 implementation project, often the Chief Information Security Officer (CISO), is responsible for compiling and updating the asset register. This individual should ensure all information is accurate, comprehensive, and regularly updated.
7. Regularly Review and Update the Register
An asset register is not a static document; it requires ongoing maintenance to remain relevant. Schedule regular reviews to add new assets, remove obsolete items, and update existing entries as needed to reflect the current threat landscape and organisational changes.
8. Integrate with Other ISMS Processes
Ensure that your asset register is fully integrated with other ISMS processes, such as risk assessment, access control, and incident management. This integration helps in applying cohesive and effective security controls across all organisational assets.
The de.iterate platform does this for you automatically.
9. Train Your Team
Finally, training your team on the importance of the asset register and their role in maintaining it is crucial. Regular training sessions can help ensure that all employees understand how to identify and report changes to the asset inventory.