PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
asset inventory iso 27001
Author Picture

Updated on August 10, 2022 by Mike Mariano

Listen to: "A Practical Approach to Asset Inventory for ISO 27001"

The 2017 update of ISO 27001 placed additional emphasis on data as an asset that should be inventoried and managed. While this is not a new philosophy, it may have sparked some organizations’ first realizations that they should consider information an asset just like hardware. If this is the first time you have done an inventory of your information, it can be hard to know just where to start. However, once you have this inventory in place, it is that much easier to safeguard the information that you are entrusted with.

Why an Information Asset Inventory Is Important

Experts agree that an asset-based information security risk assessment is a highly effective risk methodology. A thorough and accurate inventory of all assets within the scope of your information security management system (ISMS) is a vital part.

When you do not have an accurate inventory, you cannot accurately assess your risk. This, in turn, can make it hard to identify the controls that your organization will need to protect your information assets.

How Do You Know What to Include in Your Asset Inventory?

Your asset inventory for ISO 27001 should be linked to your ISMS scope. It will also involve the interested parties who you have identified, as well as the internal and external issues that you’ve found while you were addressing the requirements of the ISO standard. When we do an ISO 27001 audit, one of the things we like to look at is whether an organization has a good understanding of what their assets are.

As part of the 2013 update to ISO 27001, information assets were considered along with physical assets of the business. So, in the past, physical assets associated with the organization’s processing and infrastructure were what were counted. These would include items like servers, networking equipment, software purchases, database systems and the like.

When you begin including information assets, what is counted gets a lot broader. Assets that need to be protected under this umbrella can include data collected by your company, information that resides in the knowledge bases of individual workers and a range of intangible assets. This last class can include such disparate items as your intellectual property, your company’s unique branding and your company’s reputation.

The assets themselves should be categorized using the factors that work best for you. For instance, it might make sense to divide assets into those with financial value and those without financial value. You may also wish to establish a classification system that breaks assets down based on how sensitive the information is, such as public information, internal, confidential and restricted data.

Who Is Responsible for What?

Once assets are accounted for and categorized, it is also important to assign responsibility for each. When something is everybody’s responsibility, it’s actually no one’s. Assigning an asset owner helps ensure that every asset, whether physical or digital, has an individual or department assigned with its stewardship.

The asset owner is not the person who is the physical or legal owner of the asset. Rather, it is the person who has the responsibility and authority to see to its care. This entity will be responsible for seeing that the assets assigned to them are inventoried and classified correctly. They will make sure that access to these assets is handled correctly and that the right permissions are in place. And, when it comes time to delete or destroy an information-based asset, they will ensure that it is disposed of in a way that ensures security. While day to day responsilities for asset management can be delegated, the buck stops with the asset owner. They are ultimately responsible for ensuring that everything is managed correctly.

The Right Tools for Tracking Assets

In most cases, a spreadsheet is the simplest tool for inventorying and tracking assets. There are a number of templates available that can get you started. Or, you can build one that fits your organization’s needs specifically.

Some organizations may also find, however, that they need more sophisticated tools to show how an asset is related to specific identified risks. If this is true of assets that you manage, more robust database software may be the answer. What is important is that all asset owners and stakeholders understand their responsibilities and the processes needed for safeguarding every asset in their care.

At I.S. Partners, LLC, we take pride in helping enterprises like yours identify their valuable assets and develop plans to protect them. Is it time to take a good look at your assets, both information-based and physical? Get in touch. We can set up a free consultation to get you started. Call us at 215-675-1400, or request a quote to get started today!

Get a Quote Try our Compliance Checker

About The Author

Author Picture

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.
clip

Get Hassle-free Pricing in 3 Easy Steps

1
Request a quote using the form below
2
Allow us to create a customized plan
3
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal