Skip to content
English
Contact
  • There are no suggestions because the search field is empty.

How do I complete the Asset and Supplier Register form fields?

ISO 27001 stipulates the importance of maintaining an accurate and comprehensive asset register. This
register forms part of an organisation's Information Security Management System (ISMS) and helps in
identifying, managing, and protecting information assets.

Understanding the fields in de.iterate's Asset Register is critical for ensuring the integrity and effectiveness of your ISMS. This article explains the key fields found in a typical asset register form within the context ofISO 27001 certification.

Name: This is the title or identifier of the asset or supplier. For an asset, this could be the name of the device, application, or system (e.g. HR Management System, Laptop-123, AWS Production Server). For a supplier, this would typically be the name of the company or vendor (e.g. Amazon Web Services, Adobe, IT Support Co). The Name field should be clear and specific so it’s easy to recognise what the item is at a glance in your register.

Status: The current operational status of the asset. Indicates if the asset should be considered in the current risk assessment and if it requires active management. The options include:
  • Active: currently in use
  • Decommissioned: withdrawn from service
  • New Inactive: not in use; but not yet decommissioned

Date Added: When the asset was first included in the register. Helps track the asset's age and may impact the evaluation of its vulnerabilities and life cycle.

Last Review Date: The date of the last formal review of the asset's security controls. Ensures regular checks and updates on the asset’s security posture, as required by the standard.

Next Review Date: Scheduled date for the next review of the asset. Ensures ongoing attention to and assessment of the asset, maintaining ISO 27001 compliance.

Category: Specifies the type of asset being registered. Helps in categorising assets for risk assessment and applying appropriate controls. The options include:
  • Infrastructure: servers and networks IT Hardware: computers, phones, and mobile devices
  • Software: operating systems and applications (Windows, iOS), project management software (Jira, Asana, Trello), finance software (MYOB, Xero), communication software (Slack)
  • Documentation: data files (configuration files, sensitive data repositories), technical documents, user manuals, policies, and SOPs, contracts and business plans
  • Outsourced Services: cloud services (IaaS, PaaS), communications (telephony, email service), outsourced services (IT support, security monitoring)

Owner: The individual with assigned responsibility for managing and securing the asset. Establishes accountability for implementing and maintaining security controls.

Criticality: The importance of the asset to the organisation’s operations. Assists in prioritising which assets require more stringent controls based on their value to the organisation.

Risk: The level of risk associated with the asset. Guides the allocation of resources and controls to mitigate identified risks.

Data Classification
The confidentiality level assigned to information assets. Determines handling requirements and protection measures. These options are editable in Customer Settings to match your classification guidelines, and include:
  • Customer Confidential: Data or information that is considered sensitive to a customer and is not to be disclosed outside the contractual agreement or without the customer’s consent. This could include personal data, business transactions, or any information provided by the customer under the expectations of privacy and protection.
  • Business Confidential: Information that is proprietary or sensitive to the business and requires restricted access within the company. It typically includes trade secrets, internal strategies, financial records, or any data that could harm the
  • business if disclosed to competitors or the public.
  • Public: Information that can be freely accessed and disclosed without any restrictions or potential harm to individuals or the company. This includes materials intended for public consumption like press releases, marketing materials, or published financial reports.

Subprocessor: Used when evaluating if this supplier processes Personal Information (PI) or Personally Identifiable Information (PII). Additional Privacy controls are required for Subprocessors.

Publish in Privacy Policy: This feature interacts with our Digital Privacy Policy feature. If enabled, this vendors Name will be published in your digital privacy policy.

Annual Security Review Completed: Confirmation of whether an annual security review has been performed. Verifies that the asset's security controls are reviewed regularly in alignment with ISO 27001's continual improvement emphasis.

Vendor Monitoring: Indicates whether ongoing oversight of vendor-supplied assets or services is conducted. Critical for managing risks associated with third-party vendors and ensuring service delivery aligns with security requirements.

Vendor Website: Enter the URL of the vendor’s website. de.iterate polls the vendor’s website and, using third-party integrations, we capture the cyber security hygiene score for that vendor and then display it in de.iterate. This is useful when performing regular vendor security reviews and provides insights into the vendor’s cyber hygiene.

Related Controls: This field allows you to link the asset or supplier to specific security controls from your framework (e.g., ISO 27001 Annex A controls). This provides important context to the supplier or asset and shows the key controls selected to apply to this asset to help mitigate risks identified by the business.

Data Types Shared: Specifies the categories of data the asset interacts with or processes. Examples include Personal Information (PI), financial data, health data, or intellectual property.

Data Storage Locations: Identifies where the data associated with the asset is physically or digitally stored. This could include cloud regions, on-premises servers, or third-party locations. This multi-select menu identifies the country in which your data is stored for a specific asset or supplier.

Portable: Indicates whether the asset is portable (e.g., laptop, USB, mobile phone).

Serial Number: The manufacturer’s unique identifier for an asset. Typically used for physical assets such as laptops, routers, or mobile devices.

Physical Label (Yes/No): A dropdown indicating if the asset has a visible physical label or asset tag affixed.

Label: This field captures the actual content of the physical label or asset tag (e.g., Asset-IT-0023).

Backups Required (Yes/No): Indicates whether the data on the asset needs to be backed up regularly.

Component ID: This is the unique identifier automatically assigned to each asset or supplier when it’s added to de.iterate. It’s used throughout the platform to connect related components, generate audit reports, provide insights, and help demonstrate how your compliance program operates during audits.