How to handle Asset register (Asset inventory) according to ISO 27001
Unfortunately, if you already developed a fixed asset register, it is not going to be enough to be compliant with ISO 27001 – the concept of asset inventory (sometimes called the asset register) in information security is quite different from the concept of the fixed asset register in accounting.
What are assets according to ISO 27001?
First, let’s clarify what assets means in the context of ISO 27001 – funny enough, neither the new 2013 revision of ISO/IEC 27001, nor the 2014 revision of ISO/IEC 27000 gives a definition of assets, but the 2005 revision of ISO/IEC 27001 defines an asset as “anything that has value to the organization.”
Since ISO 27001 focuses on preservation of confidentiality, integrity and availability of information, this means that assets can be:
- Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
- Software – not only the purchased software, but also freeware.
- Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats), but also in paper and other forms.
- Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause lack of availability of information.
- People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.
- Outsourced services – e.g. legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.
Why are assets important for information security management?
There are two reasons why managing assets is important:
1) Assets are usually used to perform the risk assessment – although not mandatory by ISO 27001:2013, assets are usually the key element of identifying risks, together with threats and vulnerabilities. See also ISO 27001 risk assessment & treatment – 6 basic steps.
2) If the organization doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in ISO 27001.
This is why ISO 27001:2013 requires the following: an inventory of assets needs to be developed (A.8.1.1), owners of the assets need to be nominated (A.8.1.2), and acceptable use of assets must be defined (A.8.1.3).
How to build an asset inventory?
If you didn’t develop your asset inventory previously, the easiest way to build it is during the initial risk assessment process (if you have chosen the asset-based risk assessment methodology), because this is when all the assets need to be identified, together with their owners.
The best way to build asset inventory is to interview the head of each department, and list all the assets a department uses. The easiest is the “describe-what-you-see” technique – basically, ask this person e.g. to list all the software that he or she sees that are installed on the computer, all the documents in their folders and file cabinets, all the people working in the department, all the equipment seen in their offices, etc.
Of course, if you already do have some existing asset inventories (e.g. fixed asset register, employee list, licensed software list, etc.), then you don’t have to duplicate those lists – the best would be to refer to your other lists from your information security Asset register.
ISO 27001 does not prescribe which details must be listed in the asset inventory – you can list only the asset name and its owner, but you can also add some other useful information, like asset category, its location, some notes, etc.
Building the asset register is usually done by the person who coordinates the ISO 27001 implementation project – in most cases, this is the Chief Information Security Officer, and this person collects all the information and makes sure that the inventory is updated.
Who should be the asset owner?
The owner is normally a person who operates the asset and who makes sure the information related to this asset is protected. For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file; for the employees, the owner is usually the person who is their direct supervisor.
For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset, and if you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organization – in this case of ERP, this could be the Chief Information Officer.
So, the point is – building an asset register can seem like a bureaucratic job with not much practical use, but the truth is that listing assets helps clarify what is it valuable in your company and who is responsible for it. And, without knowing what you have and who is in charge, don’t even think that you will be able to protect your information.
Click here to register for a free webinar The basics of risk assessment and treatment according to ISO 27001.