One of the key compliance requirements of ISO 27001 is to create an asset inventory. This is a list of information assets that an organisation owns, including fixed assets such as property and equipment, as well as intangible assets such as personal data.
Creating such an inventory is essential for managing assets and, by extension, mitigating against information security risks.
ISO 27001 outlines how organisations can develop an asset inventory in control A.8.1.1 of Annex A.
This blog explains what you need to know about the process, helping you understand everything from what an asset is to the steps you should take to create an asset inventory.
What are assets according to ISO 27001?
ISO 27001 defines an asset as any valuable location within an organisation’s systems where sensitive information is stored, processed or accessible.
For example, an employee’s computer, laptop or company phone would be considered an asset. Likewise, sensitive information stored on those devices are assets.
An asset can also be part of an organisation’s critical infrastructure, such as a server or support system.
Assets can be broken down into the following categories:
- Hardware (IT servers, network equipment, computers, laptops, etc.);
- Information (paper and digital records);
- People (employees, contractors, volunteers and anyone who knows confidential information);
- Services (provided by the organisation or third parties); and
- Locations (the organisation’s premises, remote employees’ offices, etc.)
Why are assets important for information security management?
Organisations must complete an asset inventory to build an effective ISMS (information security management system) and to achieve ISO 27001 certification.
Specifically, an asset inventory is an essential part of the risk assessment process, because it’s a constituent element of identifying and evaluating information security risks.
We’ve previously discussed the relationship between assets, threats and vulnerabilities, but to summarise, a threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party.
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset.
Risk can be defined as something that’s in jeopardy (an asset), an actor that can exploit it (a threat) and a way that it can happen (a vulnerability).
Organisations must therefore identify assets alongside threats and vulnerabilities if they are to adequately perform a risk assessment.
Who should the asset owner be and what are their responsibilities?
Every information asset needs an owner. This is the person who is responsible for managing it on a day-to-day basis.
An asset owner isn’t necessarily the person who is legally responsible for protecting the asset. Rather, they are the person best equipped to maintain it.
Depending on the asset in question, the appropriate owner might be a system administrator or the manager of the department under which the asset sits.
Asset owners are responsible for ensuring that assets are:
- Classified and protected;
- Subject to appropriate access controls; and
- Properly deleted or destroyed when no longer needed.
These tasks can be delegated, but the ultimate responsibility must always lie with the asset owner.
How to build an asset inventory
You should build the asset inventory during the risk assessment process. Most organisations take an asset-based approach, and this is the easiest way to create an asset inventory.
As part of the risk assessment, you will interview relevant personnel within the organisation to understand the severity of risks and the likelihood of them occurring.
The process begins by identifying assets and then working out the relevant risks. Doing so means you already have an asset register, which you can use as the basis of your asset inventory.
ISO 27001 doesn’t contain strict rules on the details that must be included in an asset inventory. You can, for example, limit the inventory to the name of the asset and its owner. However, you will also find it helpful to include details such as the asset’s location and category.
You can get started with your asset inventory with Vigilant Software’s risk assessment tool vsRisk.
This tool provides a simple and fast way to deliver repeatable, consistent assessments year after year. Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.