
Understanding Information Assets
In order to meet the requirements of ‘Asset Management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.
URM can advise you how to best meet those requirements but here are the key activities involved in achieving best practice asset management.
Our whitepaper provides more details and examples on how to conduct the different activities.
Establishing Asset Registers
When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset
- Asset type
• Asset owner
• Asset classification
• Asset location
• Asset impact levels in relation to confidentiality, integrity and availability
Establishing Asset Types
URM suggests the following basic segregation of assets
- Information assets
- Supporting assets
- Hardware
- Software
- People
- Buildings
- Intangible assets (e.g. brand and reputation)
More information on how to identify assets and types can be found in our whitepaper.
Identifying Asset Owners
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.
Asset owners are responsible for:
- Identifying risks to the asset type
- Providing guidance and instructions on how the asset should be used.
- Identifying levels of protection required depending on the asset classification.
- Implementing and verifying the effectiveness of security controls in respect of that asset type.
Assigning Asset Classifications
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification. The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
More information on achieving the optimum classification of assets can be found in our whitepaper.
Assigning Impact Levels
As with classification, impact levels need to be assigned by the asset owner. Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.
Our whitepaper provides further information on assessing impact levels.
More about ISO 27001
Consultancy Services
About URM
URM is dedicated to providing high quality, cost-effective and tailored consultancy and training in the areas of information security, data protection, business continuity and risk management.
Our office is open 08:00 – 17:30 Monday to Friday.
Email: info@urmconsulting.com
Phone : +44 (0)118 206 5410
Download the A Practical Guide to Understanding
and Managing Your Information Assets
The Whitepaper is a complete guide of the following and much more:
- Information asset incorporate information security governance
- Identifying assets
- Identifying asset owner
- Asset classification
- Impact levels
- Documenting assets