Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
BLOGS

How Do You Meet the Asset Management Requirements of IS0 27001?

|
|
|
TRENDING
PUBLISHED on
19
July
2022
Table of contents
SUMMARY

In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.

Establishing Asset Registers

When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:

  • Asset type
  • Asset owner
  • Asset classification
  • Asset location
  • Asset impact levels in relation to confidentiality, integrity and availability

Establishing Asset Types

URM suggests the following basic segregation of assets:

  • Information assets
  • Supporting assets
    –  hardware
    –  software
    –  people
    –  buildings
  • Intangible assets (e.g., brand and reputation).

Identifying Asset Owners

In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.  

Asset owners are responsible for:

  • Identifying risks to the asset type
  • Providing guidance and instructions on how the asset should be used.
  • Identifying levels of protection required depending on the asset classification.
  • Implementing and verifying the effectiveness of security controls in respect of that asset type.

Assigning Asset Classifications

Depending on the organisational structure, it would typically be the asset owner who would decide asset classification.  The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.

Assigning Impact Levels

As with classification, impact levels need to be assigned by the asset owner.  Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.

Learn more
Learn more
Learn more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Recent blogs
Cyber Security and the Board: A Sign of What’s to Come
Data Protection Interpretation Affirmed by the Court of Appeal in DSG Retail Case
Information Security Risk Assessment and Treatment: Understanding Relevant Risks
Managing DSARs and Other Data Subject Rights
NHS Cyber Security Open Letter: What Does it Mean for Suppliers?
How URM can help?
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
Consultancy
Assess Your DORA Compliance Readiness

Unsure whether your ICT risk framework meets DORA standards? Our experts will carry out a detailed gap analysis and provide clear, prioritised steps to help you achieve full compliance.

Read more
Consultancy
Understand the 5 Pillars of DORA

Our consultants will evaluate your organisation against DORA’s core requirements. Gain practical insights to strengthen your digital resilience and meet regulatory expectations.

Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
Difference Between Certified and Compliant ISO 27001 ISMS

There is some confusion about the difference between having an ISMS which is certified to ISO 27001 and one which is compliant or aligned to the Standard.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/5/2025
ISO 27001:2022 - A.5 Organisational Controls (Access Management)

URM’s blog explores why the access controls in ISO 27001 matter, and how to implement each control in full conformance with both the Standard and best practice.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/7/2023
ISO 27001 vs SOC 2 - Part 3

3rd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
"
Leanr more about
URM Services
Our experience with URM was all around great and seamless, starting with our account manager who organised everything and was very accommodating, working around our schedule and fitting us in as soon as we wanted. This continued with our assessor for the CE questionnaire part; he was very helpful, taking the time to explain some aspects that were a bit unclear to me and guiding me the whole way through. The same was true of our assessor for the CE+, who took the time to answer any questions I had beforehand and guide me through elements that I was unfamiliar with. During the assessment, he was very helpful, made the process very easy and guided me through some points that needed some additional set up in order to ensure a successful process. This was our first year working with URM and I am sure we’ll be talking again next year. Thank you for all your help!
Orpheus Cyber
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.