Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
BLOGS

How Do You Meet the Asset Management Requirements of IS0 27001?

|
|
|
TRENDING
PUBLISHED on
19
July
2022
Table of contents
SUMMARY

In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.

Establishing Asset Registers

When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:

  • Asset type
  • Asset owner
  • Asset classification
  • Asset location
  • Asset impact levels in relation to confidentiality, integrity and availability

Establishing Asset Types

URM suggests the following basic segregation of assets:

  • Information assets
  • Supporting assets
    –  hardware
    –  software
    –  people
    –  buildings
  • Intangible assets (e.g., brand and reputation).

Identifying Asset Owners

In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.  

Asset owners are responsible for:

  • Identifying risks to the asset type
  • Providing guidance and instructions on how the asset should be used.
  • Identifying levels of protection required depending on the asset classification.
  • Implementing and verifying the effectiveness of security controls in respect of that asset type.

Assigning Asset Classifications

Depending on the organisational structure, it would typically be the asset owner who would decide asset classification.  The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.

Assigning Impact Levels

As with classification, impact levels need to be assigned by the asset owner.  Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.

Learn more
Learn more
Learn more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Recent blogs
Artificial Intelligence Frameworks and Regulations: ISO 42001, the NIST AI RMF and the EU AI Act
Certifying to ISO 27001: Key Tips for Success and Common Pitfalls to Avoid
ISO 27001 Clause 7.5: Documented Information Explained
Common Issues Identified During Audits of ISO 27001:2022
ISO 27001 Clause 9.1: Monitoring, Measurement, Analysis and Evaluation Explained
How URM can help?
Consultancy
Planning for ISO 42001, the EU AI Act, or broader AI risk frameworks?

A short, free, non‑commitment call can help you clarify scope, understand regulatory expectations, and align your approach across standards such as ISO 42001 and NIST AI RMF. Early guidance often saves time and avoids fragmented compliance efforts.

Read more
Consultancy
Developing or reviewing your AI management framework?

Whether you are at an early planning stage or preparing for audit and assurance activities, we offer a free introductory call to help you assess risks, responsibilities, and the most proportionate route forward.

Read more
Consultancy
Unsure how to approach SOC 2 or where to focus first?

You do not need a fully defined programme to start the conversation. We offer a free, no‑obligation call to help you understand SOC 2 requirements, assess your current position, and identify practical next steps.

Read more
URM holds free seminars and webinars for end-user organisations focusing on information security.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
21/7/2022
ISO 27002:2022 Update

The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
1/4/2026
ISO 27001 Clause 9.1: Monitoring, Measurement, Analysis and Evaluation Explained

URM’s blog explores ISO 27001 Clause 9.1, what it requires and practical guidance on how to implement this Clause in full conformance with the Standard.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
Risk Management – What is it and What Role Does it Play in ISO 27001?

We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International ISM Standard, into such a world-beater.

Read more
"
Leanr more about
URM Services
URM has guided us through the Cyber Essentials and Cyber Essentials Plus certifications for the past couple of years. The process has always been straightforward and well-structured, providing us with a clear roadmap to enhance our cybersecurity posture. Achieving these certifications has focused our efforts and significantly boosted our confidence in our security measures, reassuring our clients and stakeholders of our commitment to protecting their data. The rigorous assessment for Cyber Essentials Plus gave us an in-depth understanding of our vulnerabilities and how to address them effectively.
Bollin Group
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.