As per the definition and application of ISO 27001 asset management, it is a set of processes to identify and apply security measures to an organization’s assets. Seems straightforward, isn’t it? In the real world, it is pretty tricky.

Often organizations forget to identify and secure chunks of confidential Information stored at multiple sources. The cost of not securing even one of those assets could become too high. To effectively get started with asset management, we will be discussing all you need to know about the ISO 27001 Annex A.8 in this handy guide.

We also have a customizable asset management template for you at the end! Let’s get started.

What are assets according to ISO 27001?

An ‘asset’ according to 2005’s revision of the ISO/IEC 27001 is anything that has value for the organization. Often when organizations think of making an inventory of assets, they think of tangible assets such as hardware, infra, and human resources and miss out on intangible assets such as human intellect, Intellectual Property, and brand.

An asset in an organization can be:

• Information
• Intangible assets – Brand, IP, loyalty
• People – Employees, contractors, Freelancers, volunteers, Interns
• Hardware- IT Servers, Laptops, Desktops, Cloud Servers, POS devices, mobile devices, and more.
• Software- SaaS accounts, access to internal software,
• Services – email, Access to the internal database 
• Offices – Physical access to the office building, Off-site Processing Units, Warehouses, Server farms

What is ISO 27001 asset management?

ISO 27001 asset management is the practice of identifying information assets of the organization, assessing the associated risks, and establishing security controls for protecting them.

Asset management comes under Annex A.8.1 as it is about the responsibility of assets. It aims to ensure that every asset in the organization is tracked, optimized, and managed effectively. 

ISO 27001 Annex A.8 – Asset Management

ISO Annex A.8 is one of the 14 Annex A control sets and focuses on locating “assets” and outlining the role of asset management in assigning responsibilities to information assets. It outlines the security practices for different types of assets. To achieve ISO certification and ensure the best information security practices for the ISMS, asset management is a crucial step.

What is ISO 27001 asset management policy?

ISO 27001 asset management policy is a set of documented protocols for identifying the organization’s assets and managing them effectively to prevent unauthorized access or misuse.

The policy establishes guidelines for creating detailed inventory, assigning owners responsible for assets, controlling access to assets and processes for retrieving/return of assets. The purpose is to track and manage the lifecycle of assets from initial procurement to disposal.

What is the objective of Annex A 8 of ISO 27001:2013?

Annex A.8.1 talks about the responsibilities of an organization towards their assets, and it defines the scope of protection an organization should lay to secure them. Annex A.8.1 is an essential requirement of the Information Security Management Systems, especially for any business seeking to become ISO 27001 certified.

Let us take a deeper look at the requirements of this Annex:

A.8.1.1 Inventory of Assets

An inventory of an organization’s assets is essential to build an effective ISMS.

During an ISO 27001 audit, the lead auditor reviews asset inventory and management to determine the performance of an ISMS.
We’ve included a detailed section further along the article on how to build an Inventory of assets.

A.8.1.2 Ownership of Assets

Every asset that gets created within an organization must have an asset owner. The asset owner’s responsibility is to manage the asset in its lifecycle effectively. Asset ownership can range from an individual to an entire department of an organization.

If any asset owner (asset manager) is changed, it is best practice to document those changes.

A.8.1.3 Acceptable Use of Assets

Acceptable use of assets is commonly known as the” Acceptable Use Policy”. In your Acceptable Use Policy, ensure that you include not just your employees but also your freelancers, contractors, interns, volunteers, and other employment types (if any), and define the appropriate use of each information asset depending on their level of access to said assets. 

A.8.1.4 Return of Assets

Employees must return their hardware to the organization whenever they leave an organization, and their access to internal systems and third-party software must be revoked. In addition, the returned hardware and revoked access to the software must be documented and stored.

Any failed hardware-return instance should be flagged as a security incident, and measures to resolve that incident should be applied.  

Having a functioning ISO 27001 Asset Management policy is important for a strong ISMS. Organizations can use tools to ensure that all the assets an employee has access to get returned/revoked successfully.

Also checkout: List of ISO 27001 software

A.8.2.1 Classification of Information

The primary objective of annex A8.2.1: Classification of Information is to help businesses identify the risk associated with each classification model and define the risk when each classification is accessed by an unauthorized user(s). Usually, the buckets for classification are :

• Legal
• Value
• Critical
• Sensitive

Here’s an example of how the classification model helps organizations:

Any information listed on their public business websites can be tagged as ‘public’, while the Information on their commercials or Information they share in confidence can be tagged as ‘Sensitive.’

Organizations are free to classify their assets as they see fit and apply security measures and policies to safeguard them accordingly. However, if you over-simplify the classification, you end up with too few controls and complicating the classification method and going overboard in applying controls makes it difficult to access those assets in your day-to-day activities easily. The key is to find the middle ground that enables accessibility and security.

A.8.2.2 Labelling of Information

Labelling of Information is a practice that allows organizations to label the assets they’ve classified. Classification is when assets are classified, and labelling is the real-world application of those labels.

While there is no specified requirement detailing where labelling should start or where it should end, there are a few must-haves every organization’s labelling process should include:

• Describe and document the method used for labelling each asset type
• Where the label should be attached for any information asset
• Determining the assets that need not be labelled
• Rules for sharing your labelling rules (internally and to external sources)
• Names for labels for each asset type should be documented 

While following the requirements for labelling Information, ensure that they are not too complicated and are easy to use; else, these get dropped. Introducing the use of labelling as a part of your organization’s culture towards security is a great way to promote adoption.

A.8.2.3 Handling of Assets

How assets are handled is a cornerstone of an organization’s ISMS. Based on an organization’s asset classification model, assets must be classified, and procedures to handle each asset class must be developed and implemented.

Here are three things to include when creating an asset management policy:

• Access restrictions (depending on the classification of the asset)
• Log all the unauthorized users of an asset 
  Tip:
• Create a rule to auto-populate data when new users gain access
• Ensure that assets are stored the way the manufacturers recommended (physical and virtual) 

If your organization also handles customer data, present a data map of how customer data flows through your business. Demonstrate measures taken to ensure data security during processing. This helps present a strong ISMS posture.

A.8.3.1 Management of Removable Media

Every organization must put in place their policy toward removable media usage depending on its asset classification.  Access to use removable media should only be granted to those whose job requires them to have it function properly. Removable media should be stored in safe locations with access management systems to ensure unauthorized access.

Just like removable data, reusable data too, when no longer required or has served its purpose,should be made unrecoverable either by securing them or destroying them.

A.8.3.2 Disposal of Media

When media doesn’t anymore serve its purpose and is no longer needed for the business, it must be destroyed securely. Securely destroying it ensures that no confidential information is made available for unauthorized use.

If any media contains confidential Information, they need to be disposed off securely.  Classifying which media requires secure disposal and including that documentation in employee ISO 27001 training helps create a strong security posture.

Here are a few ways to ensure that your organization is disposing off its media the right way:

• Before any media or asset is disposed of, ensure that it does not store confidential information or software.
• Any physical media or equipment used for storing data or transferring Information must be physically destroyed. 
• Any media leaving your organization should be free of data (encrypt, rewrite, or make the data unusable)
• Any physical or virtual label previously attached to media for reference must be destroyed using irreversible methods.

A.8.3.3 Physical Media Transfer

When transporting physical media, here are a few steps you could follow to ensure your media is not exposed to unauthorized access, misuse, or corruption during its transit.

• Use a reputed or reliable courier service to transport your media
• Use appropriate protection measures to protect the media from physical damage during transit.
• Maintain a log of the contents of the data and protection applied when sent from the source and compare contents and packaging when they reach the destination to look for any signs of tampering.

Recommended: A detailed list of ISO 27001 requirements

What are the four controls of asset management?

The makers of ISO 27001 have listed four controls designed to help businesses manage their assets.

The four controls for asset management:

-Inventory of assets

-Ownership of assets

-Acceptable use of assets

-Return of assets

Asset Management ensures that every asset (existing + New ones that get added) within an organization has:

• A robust process to make their asset inventories
• Assigned owners to ensure smooth management of each asset class
• A defined process to implement access control
• A defined asset retrieval policy (return policy)

With these four processes in place, businesses get full visibility of their asset universe and have complete control over each asset at every level. Without this visibility, it becomes impossible to maintain a secure ISMS (Information Security Management System). We discuss these processes and how businesses can implement them further in the article.

Check out a complete guide on ISO 27001 controls

Why is asset management ISO 27001 important for security management?

Asset Management directly influences information security. However, this influence could be negative when businesses don’t focus on implementing a robust asset management strategy. Here’s how:

When organizations perform ISO 27001 risk assessments, they usually examine their assets to identify risks, the risk each asset is exposed to, identify existing vulnerabilities and look for areas for improvement to include in their risk treatment plan.

As an organization, when you don’t know what you have, you will never deploy measures to secure it, and when you have vulnerable assets, chaos follows! The information security incident management is impacted.

How to build an asset inventory?

The best time to build an asset inventory is while your organization assesses its risk. Risk assessment requires your organization to list all the assets in its business environment. Then, use that list as the starting point of your asset inventory and talk to every business function head and ask them to give an exhaustive list of the assets in use.

You could ask them to look at their device and start telling you about everything they see. For example, the software on their devices, the documents they have, any financial data of the business, all the physical assets on their desks, if their desks have locks, how many members are in their teams, and what kind of applications they need and so on.

This, when done right, will give you an exhaustive list of assets your business owns or interacts with.

Then classify this information based on employees, software, contractors, cloud infrastructure, physical infrastructure, and removable data and ensure to update it periodically. For example, updating your asset inventory to sync with your periodic risk assessment cycle is a good practice.

Who should be the asset owner?

Every asset in an organization should have a designated asset owner. And the owner of a certain asset should manage it daily.

For example

For shared assets like cloud services, the overall ownership of the service should belong to the CTO (Chief Technology Officer) or the CISO (Chief Information Security Officer), while for files created and used by employees within the cloud account, the file’s creator should be the owner. 

It is the responsibility of asset Owners to ensure that their assets are:

• Accounted for (inventoried)
• Classified(an appropriate level of security is provided based on classification)
• Subject to controls and security measures, 
• Destroyed safely and securely

Sprinto: Understand your asset management policy ISO 27001

For many, asset management is still one of the most difficult tasks to execute flawlessly.

There are many instances where businesses missed out on securing their Open S3 buckets in AWS because they were unaware of its existence.

With Sprinto, businesses can now gain complete visibility of their cloud environments and account for every one of their accounts spread across hundreds of cloud service providers. And deploy ISO 27001 controls to ensure that every cloud asset is secured automatically.

With this, businesses can spend those 100s of work hours and 1000s of dollars on ISO 27001 asset management to build and scale their business instead. 

Talk to us today to breeze through your ISO certification compliance journey.

FAQs

What challenges are faced while implementing asset management under ISO 27001?

When implementing asset management under ISO 27001, the most common challenges include the classification of assets, determining the controls appropriate for each of the identified assets, and continuous monitoring of the effectiveness of controls.

What are some best practices for asset management?

Some best practices for asset management under ISO 27001 are: Updating asset inventory regularly, conducting risk assessments, monitoring assets for threats, documenting processes and ensuring compliance with standards.

What should be included in the asset management policy?

Asset management policy should have a scope of policy, definition of assets and other key terms, roles and responsibilities, procedures for asset management, procedures for enforcement and processes for reviewing implementation.