Created by theInternational Organization for Standardization, the ISO 27001 standard deals with information security management. Annex A.8 of the standard focuses on asset management, which includes human, financial, information, and intangible assets.
While the ISO 27001 standard is expansive and focused on establishing aninformation security management system, asset management is critical to compliance and certification. A company must know what it has if it means to protect it, and the asset management policy in ISO 27001 helps establish a process for identifying, tracking, and maintaining company assets.
The ISO 27001 policy for asset management is straightforward: Assets are a critical component of an organization’s security posture, meaning a company must monitor and control access to assets. The policy covers all physical and electronic assets, including information and related data.
Owning assets comes with responsibilities, and organizations must define and document the roles of ownership. A written policy with an updated inventory ensures the accounting of all assets and helps to prevent unauthorized access. The policy should outline all historical and current information about individual assets, including changes in asset ownership.
The A.8 asset management policy applies to all businesses regardless of industry or size. Every company pursuing ISO 27001 certification should follow several steps to implement and show control over assets:
The asset management policy in ISO 27001 focuses on classifying assets and information, helping organizations protect assets by determining the required security levels. To determine the type and labeling of assets, companies must first identify them and create an inventory.
ISO 27001 primarily focuses on assets that may influence the accessibility of information, which include human assets, financial assets, information assets, and intangible assets. Some examples of items to have on an inventory list:
The primary aim of the inventory in the asset management policy in ISO 27001 is to list all information assets or items that have value for the organization. As a company compiles a list, it should consider software, websites, employee files, and servers.
An inventory helps organizations evaluate their assets and provide a valuation, which helps determine the level of security an asset requires. The logic of the evaluation and classification process is that assets should have a level of security commensurate with their value to an organization. Organizations determine value by assessing the sensitivity and potential effect of asset disclosure.
When assessing assets, an organization uses three defined levels of security: public, internal, and restricted. Public assets require the least amount of security controls because they are open and available to the public. Internal assets require a certain level of control because the data is only accessible to employees and the internal organization. Restricted assets require the highest level of security controls because they are highly sensitive. Examples of restricted assets include customer information, employee files, and intellectual property.
Annex A.8 has a lot to say about asset handling, and it starts with proper labeling, which is assigning labels that indicate an asset’s level of sensitivity and its security needs. Sensitivity labels are the organization’s responsibility and are based on earlier impact assessments. There are three types of labels:
To comply with the asset management policy in ISO 27001, organizations should create and adopt policies and procedures for labeling information. The policy must specify the labels, sensitivity protocols, security controls, and the process for applying labels. Only after creating an inventory and establishing a labeling policy can companies hope to handle information assets correctly and securely.
ISO 27001, Annex A.8.2.3, discusses the handling of assets explicitly. It states that organizational procedures must ensure confidentiality, integrity, and availability of all information and communication technology assets. The ISO standard suggests several controls organizations can implement:
To determine the proper controls, organizations must assess individual circumstances and needs. An organization also must agree on the requirements for handling assets before putting controls in place. Also, in creating a handling asset procedure, the organization must put steps in place to ensure all asset changes receive proper authorization, review, and approval before implementation.
The handling procedure should include security measures and steps for the transfer, removal, or destruction of the asset. By ensuring the policy covers every aspect of the asset lifecycle, the organization can maintain security throughout.
ISO 27001 is an information security standard. Companies that receive ISO 27001 certificationformalize their security efforts, showing clients they prioritize security, privacy, and information assets.
The asset management policy focuses on the inventory and handling of assets, which sounds straightforward but can be challenging regardless of company size. Organizations use several platforms and tech, from AWS to Workday; they also allow many devices access to their systems.
Your organization needs to integrate seamlessly across platforms and cross-reference asset libraries to determine the extent of your inventory. Committing to the inventory process of the asset management policy in ISO 27001 is challenging, but you can simplify it with Compyl. Our innovative platform seamlessly integrates into your systems and uncovers granular details about your business and assets that you may otherwise miss. Contact our team torequest a demoto see how Compyl fits into ISO 27001 compliance and standards.