How Do You Meet the Asset Management Requirements of IS0 27001?
PUBLISHED on
19 Jul
2022
Table of Contents
In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.
Establishing Asset Registers
When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:
- Asset type
- Asset owner
- Asset classification
- Asset location
- Asset impact levels in relation to confidentiality, integrity and availability
Establishing Asset Types
URM suggests the following basic segregation of assets:
- Information assets
- Supporting assets
– hardware
– software
– people
– buildings - Intangible assets (e.g., brand and reputation).
Identifying Asset Owners
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.
Asset owners are responsible for:
- Identifying risks to the asset type
- Providing guidance and instructions on how the asset should be used.
- Identifying levels of protection required depending on the asset classification.
- Implementing and verifying the effectiveness of security controls in respect of that asset type.
Assigning Asset Classifications
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification. The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
Assigning Impact Levels
As with classification, impact levels need to be assigned by the asset owner. Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.
find OUT more on:
How URM can help?
Consultancy
Book FREE Consultation
URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you achieve ISO 27001 certification
Read more
Consultancy
ISO 27002:2022 Support
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Read more
URM is renowned for helping organisations to achieve the optimum balance when implementing an ISMS.
Find out more
related BLog posts
Information Security
Published on
1/2/2024
What is the CIA Security Triad? Confidentiality, Integrity and Availability ExplainedURM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice
Read more
Information Security
Published on
27/7/2022
What is the Difference Between IT and Information Governance?In this blog, we are going to look at governance. We are regularly asked, ‘is information governance the same as IT governance?’
Read more
Information Security
Published on
18/7/2022
Key Things You Should Know About ISO 27001ISO 27001 is a standard for Information Security Management that provides any organisation with a framework to protect most valuable assets.
Read more
It was really interesting and well delivered, thank you.
Webinar 'ISO 27001:2022 – What’s new?'
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
