To comply with 'Asset management' A.8 outlined in Annex A of ISO 27001 certification, it becomes imperative to identify organizational assets, assign suitable protection responsibilities, and ensure that information is adequately safeguarded based on its significance to the organization.
Establishing Asset Registers
When creating your asset registers or inventories, it is advisable to document the following details for each information asset:
Asset type
Asset owner
Asset classification
Asset location
Asset impact levels concerning confidentiality, integrity, and availability.
Establishing Asset Types
URM proposes the following fundamental segregation of assets:
Information assets
Supporting assets
Hardware
Software
People
Buildings
- Intangible assets (e.g., brand and reputation)
Identifying Asset Owners
During the process of identifying asset owners, it is crucial to pinpoint a functional role that holds oversight and responsibility for specific types of assets. This ensures clear accountability and effective management of the assets throughout the organization.
ASSET OWNERS ARE RESPONSIBLE FOR:
The responsibilities of asset owners include:
Identifying risks associated with the asset type.
Offering guidance and instructions on the appropriate use of the asset.
Identifying the required levels of protection based on the asset's classification.
Implementing and verifying the effectiveness of security controls relevant to that specific asset type.
Assigning Asset Classifications
Depending on the organizational structure, the responsibility for determining asset classification usually falls on the asset owner. However, the classification decision must be approved by top management. It is essential that the criteria for protecting assets align with their criticality to ensure appropriate levels of security and safeguarding. This collaborative approach ensures that assets receive the necessary protection based on their significance to the organization and its overall risk management strategy.
Assigning Impact Levels
Correct, the task of assigning impact levels also falls under the responsibility of the asset owner or an ISO 27001 consultant. Determining the impact levels of assets can be a somewhat intricate process, but essentially, the impact level is derived from the sensitivity and criticality of the information contained on or within the asset. The asset owner or ISO 27001 consultant needs to assess the potential consequences of unauthorized disclosure, modification, or unavailability of the information associated with the asset to establish an appropriate impact level. This helps in establishing suitable security controls and measures to protect the asset and the information it contains based on its significance and potential impact on the organization.