How Do You Meet the Asset Management Requirements of IS0 27001?
Latest update:
19 Jul
2022
In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.
Establishing Asset Registers
When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:
- Asset type
- Asset owner
- Asset classification
- Asset location
- Asset impact levels in relation to confidentiality, integrity and availability
Establishing Asset Types
URM suggests the following basic segregation of assets:
- Information assets
- Supporting assets
– hardware
– software
– people
– buildings - Intangible assets (e.g., brand and reputation).
Identifying Asset Owners
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.
Asset owners are responsible for:
- Identifying risks to the asset type
- Providing guidance and instructions on how the asset should be used.
- Identifying levels of protection required depending on the asset classification.
- Implementing and verifying the effectiveness of security controls in respect of that asset type.
Assigning Asset Classifications
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification. The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
Assigning Impact Levels
As with classification, impact levels need to be assigned by the asset owner. Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.
find OUT more on:
How URM can help?
Consultancy
Your ISO 27001 auditing programme
Having been involved in over 350 successful ISO 27001 certifications, URM is ideally placed to advise you on the essential activities and tasks you will need to carry out in order to maintain and improve your ISO 27001 auditing function and programme
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you get ISO 27001 certification
Read more
Consultancy
Preparing for and conducting internal ISO 27001 audits
URM can help you with ISO 27001 audit
Read more
URM’s consultants have assisted over 350 organisations achieve and maintain certification to ISO 27001.
Find out more
related BLog posts
Information Security
updateD:
8/8/2022
How do you Identify and Then Manage Your ISMS Scope?When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope of...
Read more
Information Security
updateD:
4/10/2022
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.
Read more
Information Security
updateD:
8/8/2022
How Do You Gain Top Management Commitment?In previous blogs, we have tackled a number of fundamental ISO 27001 components. In this blog, we’ll take a look at management commitment, one of the most significant.
Read more
"
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
