ISO 27001 stipulates the importance of maintaining an accurate and comprehensive asset register. This register forms part of an organisation's Information Security Management System (ISMS) and helps in identifying, managing, and protecting information assets.
Understanding the fields in de.iterate's Asset Register is critical for ensuring the integrity and effectiveness of your ISMS. This article explains the key fields found in a typical asset register form within the context of ISO 27001 certification.
Status
The current operational status of the asset. Indicates if the asset should be considered in the current risk assessment and if it requires active management. The options include:
Active: currently in use
Decommissioned: withdrawn from service
New Inactive: not in use; but not yet decommissioned
Date Added
When the asset was first included in the register. Helps track the asset's age and may impact the evaluation of its vulnerabilities and life cycle.
Last Review Date
The date of the last formal review of the asset's security controls. Ensures regular checks and updates on the asset’s security posture, as required by the standard.
Next Review Date
Scheduled date for the next review of the asset. Ensures ongoing attention to and assessment of the asset, maintaining ISO 27001 compliance.
Category
Specifies the type of asset being registered. Helps in categorising assets for risk assessment and applying appropriate controls. The options include:
People: Employees or staff who interact with information systems are considered assets because their knowledge and behaviour can significantly impact information security.
Infrastructure: like servers and networks
IT Hardware: like computers, phones, and mobile devices
Software: like operating systems and applications (Windows, iOS), project management software (Jira, Asana, Trello), finance software (MYOB, Xero), communication software (Slack)
Documentation: like data files (configuration files, sensitive data repositories), technical documents, user manuals, policies, and SOPs, contracts and business plans
Outsourced Services: Cloud services (IaaS, PaaS, SaaS), communications (telephony, email service), outsourced services (IT support, security monitoring)
Name
The unique identifier or common name for the asset. Facilitates precise identification and tracking of assets within the ISMS.
Owner
The individual with assigned responsibility for managing and securing the asset. Establishes accountability for implementing and maintaining security controls. For more information, read our more detailed help article: Who Should Be the Asset Owner?
Criticality
The importance of the asset to the organisation’s operations. Assists in prioritising which assets require more stringent controls based on their value to the organisation.
Risk
The level of risk associated with the asset. Guides the allocation of resources and controls to mitigate identified risks.
Location
Physical or digital location of the asset. Critical for physical security, disaster recovery, and access controls.
Data Classification
The confidentiality level assigned to information assets. Determines handling requirements and protection measures. The options include:
Customer Confidential: Data or information that is considered sensitive to a customer and is not to be disclosed outside the contractual agreement or without the customer’s consent. This could include personal data, business transactions, or any information provided by the customer under the expectations of privacy and protection.
Business Confidential: Information that is proprietary or sensitive to the business and requires restricted access within the company. It typically includes trade secrets, internal strategies, financial records, or any data that could harm the business if disclosed to competitors or the public.
Public: Information that can be freely accessed and disclosed without any restrictions or potential harm to individuals or the company. This includes materials intended for public consumption like press releases, marketing materials, or published financial reports.
Subprocessor
Indicates if a third-party subprocessor is used in relation to the asset. Requires additional controls and agreements to manage data processing by external entities.
Publish in Privacy Policy
Whether the asset is mentioned in publicly available privacy disclosures. Relates to compliance with privacy laws and transparency requirements.
Legal Obligations
Legal or regulatory requirements associated with the asset. Directly influences the security controls required for compliance and risk management. For more information, read our more detailed help article: What Does the 'Legal Obligations' Field Mean in the Asset Register?
Annual Security Review Completed
Confirmation of whether an annual security review has been performed. Verifies that the asset's security controls are reviewed regularly in alignment with ISO 27001's continual improvement emphasis.
Vendor Monitoring
Indicates whether ongoing oversight of vendor-supplied assets or services is conducted. Critical for managing risks associated with third-party vendors and ensuring service delivery aligns with security requirements.