A Practical Approach to Asset Inventory for ISO 27001

The 2017 update of ISO 27001 placed additional emphasis on data as an asset that should be inventoried and managed. While this is not a new philosophy, it may have sparked some organizations’ first realizations that they should consider information an asset just like hardware. If this is the first time you have done an inventory of your information, it can be hard to know just where to start. However, once you have this inventory in place, it is that much easier to safeguard the information that you are entrusted with.

Why an Information Asset Inventory Is Important

Experts agree that an asset-based information security risk assessment is a highly effective risk methodology. A thorough and accurate inventory of all assets within the scope of your information security management system (ISMS) is a vital part.

When you do not have an accurate inventory, you cannot accurately assess your risk. This, in turn, can make it hard to identify the controls that your organization will need to protect your information assets.

How Do You Know What to Include in Your Asset Inventory?

Your asset inventory for ISO 27001 should be linked to your ISMS scope. It will also involve the interested parties who you have identified, as well as the internal and external issues that you’ve found while you were addressing the requirements of the ISO standard. When we do an ISO 27001 audit, one of the things we like to look at is whether an organization has a good understanding of what their assets are.

As part of the 2013 update to ISO 27001, information assets were considered along with physical assets of the business. So, in the past, physical assets associated with the organization’s processing and infrastructure were what were counted. These would include items like servers, networking equipment, software purchases, database systems and the like.

When you begin including information assets, what is counted gets a lot broader. Assets that need to be protected under this umbrella can include data collected by your company, information that resides in the knowledge bases of individual workers and a range of intangible assets. This last class can include such disparate items as your intellectual property, your company’s unique branding and your company’s reputation.

The assets themselves should be categorized using the factors that work best for you. For instance, it might make sense to divide assets into those with financial value and those without financial value. You may also wish to establish a classification system that breaks assets down based on how sensitive the information is, such as public information, internal, confidential and restricted data.

Who Is Responsible for What?

Once assets are accounted for and categorized, it is also important to assign responsibility for each. When something is everybody’s responsibility, it’s actually no one’s. Assigning an asset owner helps ensure that every asset, whether physical or digital, has an individual or department assigned with its stewardship.

The asset owner is not the person who is the physical or legal owner of the asset. Rather, it is the person who has the responsibility and authority to see to its care. This entity will be responsible for seeing that the assets assigned to them are inventoried and classified correctly. They will make sure that access to these assets is handled correctly and that the right permissions are in place. And, when it comes time to delete or destroy an information-based asset, they will ensure that it is disposed of in a way that ensures security. While day to day responsilities for asset management can be delegated, the buck stops with the asset owner. They are ultimately responsible for ensuring that everything is managed correctly.

The Right Tools for Tracking Assets

For many organizations, a spreadsheet is the simplest way to inventory and track assets, with customizable templates available to meet specific needs. However, more advanced database solutions may be necessary for organizations that need to map assets to information security risks and security controls. Regardless of the tool used, it is critical that asset owners and stakeholders understand their roles in safeguarding these resources.

Contact us today to learn more about aligning asset management with international security standards.

About The Author

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for IS Partners. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.