CALL US +49 69 9675 9334

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

How to handle Asset register (Asset inventory) according to ISO 27001

Author: Dejan Kosutic

Unfortunately, if you already developed a fixed asset register, it is not going to be enough to be compliant with ISO 27001 – the concept of asset inventory (sometimes called the asset register) in information security is quite different from the concept of the fixed asset register in accounting.

What are assets according to ISO 27001?

First, let’s clarify what assets means in the context of ISO 27001 – funny enough, neither the new 2013 revision of ISO/IEC 27001, nor the 2014 revision of ISO/IEC 27000 gives a definition of assets, but the 2005 revision of ISO/IEC 27001 defines an asset as “anything that has value to the organization.”

Since ISO 27001 focuses on preservation of confidentiality, integrity and availability of information, this means that assets can be:

  • Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
  • Software – not only the purchased software, but also freeware.
  • Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats), but also in paper and other forms.
  • Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause lack of availability of information.
  • People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.
  • Outsourced services – e.g. legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.

Why are assets important for information security management?

There are two reasons why managing assets is important:

1) Assets are usually used to perform the risk assessment – although not mandatory by ISO 27001:2013, assets are usually the key element of identifying risks, together with threats and vulnerabilities. See also ISO 27001 risk assessment & treatment – 6 basic steps.

2) If the organization doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in ISO 27001.

This is why ISO 27001:2013 requires the following: an inventory of assets needs to be developed (A.8.1.1), owners of the assets need to be nominated (A.8.1.2), and acceptable use of assets must be defined (A.8.1.3).

How to build an asset inventory?

If you didn’t develop your asset inventory previously, the easiest way to build it is during the initial risk assessment process (if you have chosen the asset-based risk assessment methodology), because this is when all the assets need to be identified, together with their owners.

The best way to build asset inventory is to interview the head of each department, and list all the assets a department uses. The easiest is the “describe-what-you-see” technique – basically, ask this person e.g. to list all the software that he or she sees that are installed on the computer, all the documents in their folders and file cabinets, all the people working in the department, all the equipment seen in their offices, etc.

Of course, if you already do have some existing asset inventories (e.g. fixed asset register, employee list, licensed software list, etc.), then you don’t have to duplicate those lists – the best would be to refer to your other lists from your information security Asset register.

ISO 27001 does not prescribe which details must be listed in the asset inventory – you can list only the asset name and its owner, but you can also add some other useful information, like asset category, its location, some notes, etc.

Building the asset register is usually done by the person who coordinates the ISO 27001 implementation project – in most cases, this is the Chief Information Security Officer, and this person collects all the information and makes sure that the inventory is updated.

Who should be the asset owner?

The owner is normally a person who operates the asset and who makes sure the information related to this asset is protected. For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file; for the employees, the owner is usually the person who is their direct supervisor.

For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset, and if you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organization – in this case of ERP, this could be the Chief Information Officer.

Read also Risk owners vs. asset owners in ISO 27001:2013.

So, the point is – building an asset register can seem like a bureaucratic job with not much practical use, but the truth is that listing assets helps clarify what is it valuable in your company and who is responsible for it. And, without knowing what you have and who is in charge, don’t even think that you will be able to protect your information.

Click here to register for a free webinar  The basics of risk assessment and treatment according to ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

7 responses to “How to handle Asset register (Asset inventory) according to ISO 27001”

  1. Jones Jardel Poersch says:

    Dejan, what do you usually see in risk assessment regarding user’s workstations/laptops considering the list of these devices in the risk assessment sheet? Usually the companies register many laptops or groups of them respecting their values or only one asset for all?

  2. Yoni Rubin says:

    Dejan, is an organization expected to literally keep track of every digital file and its owner? Even small startups probably have thousands of files that would be impossible to log, so I can’t imagine an enterprise having to do it.

  3. Paul says:

    Dejan,

    ISO 27001:2013 reads: “Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.” ISO 27002:2013 gives further guidance on what is meant wirth “facilities” and says under section 8.1.4: ” In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment.”
    Meaning that there should not be an inventory of the hardware (eg harddisk, servers, etc), and not the information that is stored on this hardware.

    I do agree with your final conclusion that without knowing what you valuable information you have (the intangible assets) and who is in charge for the protection, an organisation won’t be able to protect this information. But ISO 27000 does not require this, which I see as a shortcoming. Or did I overlook something?

    Paul

    • First of all, ISO 27002, or any other standards like ISO 27005 are not mandatory, so you have to read carefully what ISO 27001 really requires. And ISO 27001 does require information processing facilities to be listed – in my view it is hard to imagine that hardware is not included in this requirement.

      If you do want to read consultative documents, then the situation is as follows: ISO 27002 clause 8.1.1 Inventory of assets clearly says that examples of assets can be found in ISO 27005. ISO 27005 lists hardware among other types of assets.

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

Upcoming free webinar
The basics of risk assessment and treatment according to ISO 27001
Wednesday - November 21, 2018

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.