A Practical Approach to Asset Inventory for ISO 27001
The 2017 update of ISO 27001 placed additional emphasis on data as an asset that should be inventoried and managed. While this is not a new philosophy, it may have sparked some organizations’ first realizations that they should consider information an asset just like hardware. If this is the first time you have done an inventory of your information, it can be hard to know just where to start. However, once you have this inventory in place, it is that much easier to safeguard the information that you are entrusted with.
Why an Information Asset Inventory Is Important
Experts agree that an asset-based information security risk assessment is a highly effective risk methodology. A thorough and accurate inventory of all assets within the scope of your information security management system (ISMS) is a vital part.
When you do not have an accurate inventory, you cannot accurately assess your risk. This, in turn, can make it hard to identify the controls that your organization will need to protect your information assets.
How Do You Know What to Include in Your Asset Inventory?
Your asset inventory for ISO 27001 should be linked to your ISMS scope. It will also involve the interested parties who you have identified, as well as the internal and external issues that you’ve found while you were addressing the requirements of the ISO standard. When we do an ISO 27001 audit, one of the things we like to look at is whether an organization has a good understanding of what their assets are.
As part of the 2013 update to ISO 27001, information assets were considered along with physical assets of the business. So, in the past, physical assets associated with the organization’s processing and infrastructure were what were counted. These would include items like servers, networking equipment, software purchases, database systems and the like.
When you begin including information assets, what is counted gets a lot broader. Assets that need to be protected under this umbrella can include data collected by your company, information that resides in the knowledge bases of individual workers and a range of intangible assets. This last class can include such disparate items as your intellectual property, your company’s unique branding and your company’s reputation.
The assets themselves should be categorized using the factors that work best for you. For instance, it might make sense to divide assets into those with financial value and those without financial value. You may also wish to establish a classification system that breaks assets down based on how sensitive the information is, such as public information, internal, confidential and restricted data.
Who Is Responsible for What?
Once assets are accounted for and categorized, it is also important to assign responsibility for each. When something is everybody’s responsibility, it’s actually no one’s. Assigning an asset owner helps ensure that every asset, whether physical or digital, has an individual or department assigned with its stewardship.
The asset owner is not the person who is the physical or legal owner of the asset. Rather, it is the person who has the responsibility and authority to see to its care. This entity will be responsible for seeing that the assets assigned to them are inventoried and classified correctly. They will make sure that access to these assets is handled correctly and that the right permissions are in place. And, when it comes time to delete or destroy an information-based asset, they will ensure that it is disposed of in a way that ensures security. While day to day responsilities for asset management can be delegated, the buck stops with the asset owner. They are ultimately responsible for ensuring that everything is managed correctly.
The Right Tools for Tracking Assets
In most cases, a spreadsheet is the simplest tool for inventorying and tracking assets. There are a number of templates available that can get you started. Or, you can build one that fits your organization’s needs specifically.
Some organizations may also find, however, that they need more sophisticated tools to show how an asset is related to specific identified risks. If this is true of assets that you manage, more robust database software may be the answer. What is important is that all asset owners and stakeholders understand their responsibilities and the processes needed for safeguarding every asset in their care.
At I.S. Partners, LLC, we take pride in helping enterprises like yours identify their valuable assets and develop plans to protect them. Is it time to take a good look at your assets, both information-based and physical? Get in touch. We can set up a free consultation to get you started. Call us at 215-675-1400, or request a quote to get started today!