Listen to: "A Practical Approach to Asset Inventory for ISO 27001"

The 2017 update of ISO 27001 placed additional emphasis on data as an asset that should be inventoried and managed. While this is not a new philosophy, it may have sparked some organizations’ first realizations that they should consider information an asset just like hardware. If this is the first time you have done an inventory of your information, it can be hard to know just where to start. However, once you have this inventory in place, it is that much easier to safeguard the information that you are entrusted with.

Why an Information Asset Inventory Is Important

Experts agree that an asset-based information security risk assessment is a highly effective risk methodology. A thorough and accurate inventory of all assets within the scope of your information security management system (ISMS) is a vital part.

When you do not have an accurate inventory, you cannot accurately assess your risk. This, in turn, can make it hard to identify the controls that your organization will need to protect your information assets.

How Do You Know What to Include in Your Asset Inventory?

Your asset inventory for ISO 27001 should be linked to your ISMS scope. It will also involve the interested parties who you have identified, as well as the internal and external issues that you’ve found while you were addressing the requirements of the ISO standard. When we do an ISO 27001 audit, one of the things we like to look at is whether an organization has a good understanding of what their assets are.

As part of the 2013 update to ISO 27001, information assets were considered along with physical assets of the business. So, in the past, physical assets associated with the organization’s processing and infrastructure were what were counted. These would include items like servers, networking equipment, software purchases, database systems and the like.

When you begin including information assets, what is counted gets a lot broader. Assets that need to be protected under this umbrella can include data collected by your company, information that resides in the knowledge bases of individual workers and a range of intangible assets. This last class can include such disparate items as your intellectual property, your company’s unique branding and your company’s reputation.

The assets themselves should be categorized using the factors that work best for you. For instance, it might make sense to divide assets into those with financial value and those without financial value. You may also wish to establish a classification system that breaks assets down based on how sensitive the information is, such as public information, internal, confidential and restricted data.

Who Is Responsible for What?

Once assets are accounted for and categorized, it is also important to assign responsibility for each. When something is everybody’s responsibility, it’s actually no one’s. Assigning an asset owner helps ensure that every asset, whether physical or digital, has an individual or department assigned with its stewardship.

The asset owner is not the person who is the physical or legal owner of the asset. Rather, it is the person who has the responsibility and authority to see to its care. This entity will be responsible for seeing that the assets assigned to them are inventoried and classified correctly. They will make sure that access to these assets is handled correctly and that the right permissions are in place. And, when it comes time to delete or destroy an information-based asset, they will ensure that it is disposed of in a way that ensures security. While day to day responsilities for asset management can be delegated, the buck stops with the asset owner. They are ultimately responsible for ensuring that everything is managed correctly.

The Right Tools for Tracking Assets

In most cases, a spreadsheet is the simplest tool for inventorying and tracking assets. There are a number of templates available that can get you started. Or, you can build one that fits your organization’s needs specifically.

Some organizations may also find, however, that they need more sophisticated tools to show how an asset is related to specific identified risks. If this is true of assets that you manage, more robust database software may be the answer. What is important is that all asset owners and stakeholders understand their responsibilities and the processes needed for safeguarding every asset in their care.

At I.S. Partners, LLC, we take pride in helping enterprises like yours identify their valuable assets and develop plans to protect them. Is it time to take a good look at your assets, both information-based and physical? Get in touch. We can set up a free consultation to get you started. Call us at 215-675-1400, or request a quote to get started today!

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.