How Do You Meet the Asset Management Requirements of IS0 27001?

|
|
|
PUBLISHED on
19
July
2022

In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.

Establishing Asset Registers

When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:

  • Asset type
  • Asset owner
  • Asset classification
  • Asset location
  • Asset impact levels in relation to confidentiality, integrity and availability

Establishing Asset Types

URM suggests the following basic segregation of assets:

  • Information assets
  • Supporting assets
    –  hardware
    –  software
    –  people
    –  buildings
  • Intangible assets (e.g., brand and reputation).

Identifying Asset Owners

In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.  

Asset owners are responsible for:

  • Identifying risks to the asset type
  • Providing guidance and instructions on how the asset should be used.
  • Identifying levels of protection required depending on the asset classification.
  • Implementing and verifying the effectiveness of security controls in respect of that asset type.

Assigning Asset Classifications

Depending on the organisational structure, it would typically be the asset owner who would decide asset classification.  The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.

Assigning Impact Levels

As with classification, impact levels need to be assigned by the asset owner.  Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
19/4/2024
Planning Your ISO 27001 Audit Programme

URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
What are the Basics of Internal Auditing?

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for ISM.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
3/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Incident Management)

URM’s blog breaks down the six incident management-related controls in Annex A of ISO 27001, providing key guidance on how to implement each control.

Read more
Cyber security has never been higher on our agenda. We’re very pleased to have gained our Cyber Essentials Plus Certification. We are committed to providing the most secure and robust solutions to our customers and partners. This certification helps to demonstrate this commitment – through independent vulnerability testing and to test the awareness of information security across our teams. We’re very pleased with the support and expertise provided by URM.
Speech Technologies Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.