Blog
sprinto angle right
ISO 27001
sprinto angle right
ISO 27001 Asset Management (Annex A.8) Explained

ISO 27001 Asset Management (Annex A.8) Explained

TL,DR:

ISO 27001 asset management under Annex A.8 requires identifying, classifying, and protecting all assets including information, people, hardware, software, services, and physical offices, each inventoried with designated owners.
Annex A.8 has three sub-controls: A.8.1 responsibility for assets (inventory, ownership, acceptable use, return), A.8.2 information classification with labeling and handling, and A.8.3 media handling for storage, transport, and destruction.
The asset inventory must include tangible assets like servers, laptops, and cloud servers, plus intangible ones like intellectual property, brand value, SaaS accounts, and database access.
Classification uses sensitivity buckets (public, internal, confidential, sensitive) to identify risks and define controls, with labeling applied for both accessibility and protection.
During an audit, the lead auditor reviews asset inventory and management to gauge ISMS performance, making a continuously updated asset register critical.

As per the definition and application of ISO 27001 asset management is a set of processes to identify and apply security measures to an organization’s assets. Seems straightforward, isn’t it? In the real world, it is pretty tricky.

Often organizations forget to identify and secure chunks of confidential Information stored at multiple sources. The cost of not securing even one of those assets could become too high. To effectively get started with asset management, we will be discussing all you need to know about the ISO 27001 Annex A.8 in this handy guide.

sprinto-flares
Understand what ISO 27001 Annex A.8 actually requires

We also have a customizable asset management template for you at the end! Let’s get started.

What are assets according to ISO 27001?

An ‘asset’ according to 2005’s revision of the ISO/IEC 27001 is anything that has value for the organization. Often when organizations think of making an inventory of assets, they think of tangible assets such as hardware, infra, and human resources and miss out on intangible assets such as human intellect, Intellectual Property, and brand.

An asset in an organization can be:

  • Information
  • Intangible assets – Brand, IP, loyalty
  • People – Employees, contractors, Freelancers, volunteers, Interns
  • Hardware- IT Servers, Laptops, Desktops, Cloud Servers, POS devices, mobile devices, and more.
  • Software- SaaS accounts, access to internal software,
  • Services – email, Access to the internal database 
  • Offices – Physical access to the office building, Off-site Processing Units, Warehouses, Server farms
Types of assets in organization

What is ISO 27001 asset management?

ISO 27001 asset management is the practice of identifying information assets of the organization, assessing the associated risks, and establishing security controls for protecting them. Asset management comes under Annex A.8.1 tracks and manages every organizational asset. Our ISO 27001 vulnerability management guide covers how to assess and remediate the vulnerabilities within these managed assets – connecting asset inventory to the vulnerability lifecycle.

ISO 27001 Annex A.8 – Asset Management

Annex A.8 locates assets and assigns responsibilities. Our ISO 27001 risk management policy guide covers how the risk policy documented under Clause 6.1.2 connects to Annex A.8 – ensuring asset risks are systematically assessed and treated. It outlines the security practices for different types of assets. To achieve ISO certification and ensure the best information security practices for the ISMS, asset management is a crucial step.

sprinto-flares
Turn Annex A.8 into an actionable asset management process

What is ISO 27001 asset management policy?

ISO 27001 asset management policy is a set of documented protocols for identifying the organization’s assets and managing them effectively to prevent unauthorized access or misuse.

The policy establishes guidelines for creating detailed inventory, assigning owners responsible for assets, controlling access to assets and processes for retrieving/return of assets. The purpose is to track and manage the lifecycle of assets from initial procurement to disposal.

What is the objective of Annex A 8 of ISO 27001:2013?

Annex A.8.1 talks about the responsibilities of an organization towards their assets, and it defines the scope of protection an organization should lay to secure them. Annex A.8.1 is an essential requirement of the Information Security Management Systems, especially for any business seeking to become ISO 27001 certified.

Let us take a deeper look at the requirements of this Annex:

A.8.1.1 Inventory of Assets

An inventory of an organization’s assets is essential to build an effective ISMS.

During an ISO 27001 audit, the lead auditor reviews asset inventory and management to determine the performance of an ISMS.
We’ve included a detailed section further along the article on how to build an Inventory of assets.

A.8.1.2 Ownership of Assets

Every asset that gets created within an organization must have an asset owner. The asset owner’s responsibility is to manage the asset in its lifecycle effectively. Asset ownership can range from an individual to an entire department of an organization.

If any asset owner (asset manager) is changed, it is best practice to document those changes.

A.8.1.3 Acceptable Use of Assets

Acceptable use of assets is commonly known as the” Acceptable Use Policy”. In your Acceptable Use Policy, ensure that you include not just your employees but also your freelancers, contractors, interns, volunteers, and other employment types (if any), and define the appropriate use of each information asset depending on their level of access to said assets. 

A.8.1.4 Return of Assets

Employees must return their hardware to the organization whenever they leave an organization, and their access to internal systems and third-party software must be revoked. In addition, the returned hardware and revoked access to the software must be documented and stored.

Any failed hardware-return instance should be flagged as a security incident, and measures to resolve that incident should be applied.  

Having a functioning ISO 27001 Asset Management policy is important for a strong ISMS. Organizations can use tools to ensure that all the assets an employee has access to get returned/revoked successfully.

A.8.2.1 Classification of information

A.8.2.1 Classification of information

The objective of Annex A.8.2.1 is to help organizations classify information based on sensitivity, business value, legal requirements, and the impact of unauthorized access or disclosure.

A simple classification model may include:

Classification levelWhat it meansExamples
PublicApproved for external sharingWebsite content, brochures, public policies
InternalMeant for employees or approved stakeholdersSOPs, internal documentation, team reports
ConfidentialSensitive business information that needs restricted accessCustomer contracts, financial data, employee records
RestrictedHighly sensitive information requiring strict controlsCredentials, encryption keys, regulated data, incident records

Organizations can define their own classification levels, but the model should be easy to apply. If the classification system is too simple, sensitive assets may not receive enough protection. If it is too complex, employees may ignore it or apply labels inconsistently.

The classification should determine how information is stored, accessed, shared, retained, and disposed of. For example, public website content may need limited controls, while customer data, credentials, or intellectual property should have defined ownership, restricted access, monitoring, and secure disposal rules.

A.8.2.2 Labelling of information

A.8.2.2 Labelling of information

Labelling applies the classification model in day-to-day work. Once information is classified, employees need a clear way to identify how it should be handled.

A labelling process should define:

  • the labels used for each classification level
  • where labels should appear on documents, systems, repositories, or physical media
  • which assets do not need labels
  • how labelled information can be shared internally and externally
  • who can change or remove a label
  • how employees should handle incorrectly labelled information

The labelling process should be practical. If employees need too many steps to label or share information, adoption will drop. The goal is to make secure handling visible and repeatable without slowing down normal work.

A.8.2.3 Handling of assets

Asset handling defines how each class of information or asset should be used, stored, transferred, and protected.

Handling rules should be based on the asset’s classification. For example, confidential customer information may require restricted access, encryption, approved storage locations, and monitored transfers. Public information may only need basic version control and publishing approval.

Your asset handling process should cover:

  • access restrictions based on classification
  • approved storage locations
  • rules for sharing information internally and externally
  • encryption requirements for sensitive data
  • logging of unauthorized access attempts
  • secure handling of customer data
  • requirements for physical and digital storage
  • procedures for reporting misuse, loss, or unauthorized access

If your organization processes customer data, maintain a data flow map that shows where the data is collected, stored, processed, transferred, and deleted. This gives auditors a clearer view of how sensitive information moves through the business and how it is protected.

A.8.3.1 Management of removable media

Removable media includes USB drives, external hard disks, memory cards, backup drives, and other portable storage devices. These assets increase the risk of data leakage because they can be lost, copied, or accessed outside managed systems.

Organizations should define when removable media is allowed and who can use it. Access should be limited to employees whose roles require it, and sensitive information stored on removable media should be encrypted.

A removable media policy should cover:

  • approved and prohibited media types
  • approval requirements before use
  • access restrictions
  • encryption requirements
  • storage and transport rules
  • logging and tracking of removable media
  • steps for reporting lost or stolen media
  • secure deletion or destruction after use

If removable media is no longer required, the data should be made unrecoverable through secure deletion, overwriting, encryption, or physical destruction.

A.8.3.2 Disposal of media

ISO 27001 A.8.3.2 Disposal of Media

Media disposal ensures that sensitive information is not exposed when physical or digital assets are retired, reused, transferred, or destroyed.

Before disposing of any media, organizations should check whether it contains confidential information, regulated data, credentials, business records, customer data, or licensed software. If it does, the data must be securely removed or destroyed before the media leaves the organization.

Secure disposal methods may include:

  • wiping or overwriting data
  • encryption followed by key destruction
  • physical destruction of storage media
  • certified disposal through an approved vendor
  • removal of physical or digital labels
  • documented disposal approval and verification

For audit readiness, maintain disposal records such as wiping logs, asset return checklists, destruction certificates, vendor confirmations, and approvals for retired assets.

A.8.3.3 Physical media transfer

Physical media transfer covers the movement of storage devices, documents, backup media, or equipment from one location to another. The goal is to protect information from unauthorized access, loss, damage, or tampering during transit.

When transferring physical media:

  • use a reliable courier or approved transport method
  • package the media to prevent physical damage
  • encrypt sensitive data before transfer
  • maintain a record of what was sent, when it was sent, and who received it
  • verify the contents and packaging when the media arrives
  • check for signs of tampering
  • require acknowledgement from the receiving party

For sensitive or regulated information, transfers should be approved in advance and logged. This gives the organization evidence that media was protected throughout the transfer process.

What are the four controls of asset management?

The makers of ISO 27001 have listed four controls designed to help businesses manage their assets.

The four controls for asset management:

  • Inventory of assets
  • Ownership of assets
  • Acceptable use of assets
  • Return of assets

Asset Management ensures that every asset (existing + New ones that get added) within an organization has:

  • A robust process to make their asset inventories
  • Assigned owners to ensure smooth management of each asset class
  • A defined process to implement access control
  • A defined asset retrieval policy (return policy)

With these four processes in place, businesses get full visibility of their asset universe and have complete control over each asset at every level. Without this visibility, it becomes impossible to maintain a secure ISMS (Information Security Management System). We discuss these processes and how businesses can implement them further in the article.

sprinto-flares
Operationalize inventory, ownership, acceptable use, and asset return in one workflow

Why is asset management ISO 27001 important for security management?

Asset Management directly influences information security. However, this influence could be negative when businesses don’t focus on implementing a robust asset management strategy. Here’s how:

When organizations perform ISO 27001 risk assessments, they usually examine their assets to identify risks, the risk each asset is exposed to, identify existing vulnerabilities and look for areas for improvement to include in their risk treatment plan.

As an organization, when you don’t know what you have, you will never deploy measures to secure it, and when you have vulnerable assets, chaos follows! The information security incident management is impacted.

How to build an asset inventory

An asset inventory is the foundation of ISO 27001 asset management. It helps the organization identify what assets exist, who owns them, where they are stored, how they are used, and which controls apply to them.

Start with the asset list created during your risk assessment, then validate it with each business function. Ask teams to document the hardware, software, cloud systems, data stores, physical assets, third-party tools, and information assets they use.

A useful asset inventory should include:

  • asset name and description
  • asset type, such as hardware, software, information, people, services, or cloud resources
  • asset owner
  • department or business function
  • location or system of record
  • classification level
  • access permissions
  • related suppliers or dependencies
  • associated risks
  • lifecycle status, such as active, retired, transferred, or disposed
  • review date and next review owner

The inventory should be reviewed periodically and updated whenever assets are added, transferred, retired, or disposed of. Aligning the asset inventory review with the risk assessment cycle is a good practice because it keeps asset ownership, classification, and risk treatment current.

Who should be the asset owner?

Every asset in an organization should have a designated asset owner. And the owner of a certain asset should manage it daily.

For example

For shared assets like cloud services, the overall ownership of the service should belong to the CTO (Chief Technology Officer) or the CISO (Chief Information Security Officer), while for files created and used by employees within the cloud account, the file’s creator should be the owner. 

It is the responsibility of asset Owners to ensure that their assets are:

  • Accounted for (inventoried)
  • Classified(an appropriate level of security is provided based on classification)
  • Subject to controls and security measures, 
  • Destroyed safely and securely
ISO 27001 asset owners

Sprinto: Understand your asset management policy ISO 27001

For many, asset management is still one of the most difficult tasks to execute flawlessly. There are many instances where businesses missed out on securing their Open S3 buckets in AWS because they were unaware of its existence.

With Sprinto, businesses can now gain complete visibility of their cloud environments and account for every one of their accounts spread across hundreds of cloud service providers. And deploy ISO 27001 controls to ensure that every cloud asset is secured automatically.

With this, businesses can spend those 100s of work hours and 1000s of dollars on ISO 27001 asset management to build and scale their business instead.

sprinto-flares
Automate asset visibility, ownership tracking, and audit-ready evidence with Sprinto

Frequently asked questions

When implementing asset management under ISO 27001, the most common challenges include the classification of assets, determining the controls appropriate for each of the identified assets, and continuous monitoring of the effectiveness of controls.

Some best practices for asset management under ISO 27001 are: Updating asset inventory regularly, conducting risk assessments, monitoring assets for threats, documenting processes and ensuring compliance with standards.

Asset management policy should have a scope of policy, definition of assets and other key terms, roles and responsibilities, procedures for asset management, procedures for enforcement and processes for reviewing implementation.

Vimal Mohan
Author

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise
Tired of fluff GRC and cybersecurity content? Subscribe to our newsletter and get detailed
research & insights curated to help you earn a seat at the table.
single-blog-footer-img