Build or upgrade your ISMS on our platform

Developing your ISO 27001 asset inventory

Taking a pragmatic approach to your information and physical assets

What’s an asset inventory?

An asset inventory is (unsurprisingly) an inventory of your organisation’s information assets. It’s a very important part of your ISMS because it defines what it’ll protect. So you’ll have to create one to:

  • Build an effective ISMS
  • Achieve ISO 27001 compliance or certification

When we talk about information assets we find that most people think they’re limited to IT equipment like laptops, servers and software. But your asset inventory can also include people, intellectual property and even intangible assets like your organisation’s brand.

Creating your asset inventory

To create your asset inventory, you’ll need to:

  • List your information and physical assets
  • Categorise them by type so you can start thinking about generic risks
  • Assign ownership of each of them
  • Map specific potential risks to each of them
  • Analyse risks to see which ones are unacceptable

If you’re implementing ISO 27001 for the first time, creating your asset inventory can seem quite complicated. But if you’re using you don’t really need to know the ins and outs to get stuck in.

Our asset inventory feature simplifies the whole process

Find out more

Get 24/7 support from our Virtual Coach

Find out more

See how you’ll achieve ISO 27001 first time

Find out more

What goes into an ISO 27001 asset inventory?

Your information assets

Your organisation’s information assets go into your asset inventory. Your information assets are:

  • Any information of value to the organisation
  • Any networks or devices that store, process or make it accessible

The information’s the most important thing here, though of course your networks and devices do still need to be protected. Information of value to your organisation can include:

  • Information or data
  • Intangibles – such as IP, brand and reputation
  • People – Employees, temporary staff, contractors, volunteers etc

Your physical assets

You’ll also have to work through any physical assets associated with information processing and infrastructure, including:

Hardware: Typically IT servers, network equipment, workstations, mobile devices, etc

  • Software: Your bought-in or bespoke software
  • Services: Any services your end-users receive (e.g. database systems, e-mail etc)
  • Locations & Buildings: Your sites, buildings, offices etc

Grouping your assets

Once you’ve defined your assets, you can group them by:

  • Classification – e.g. public, internal, confidential etc
  • Information type – e.g. personal, personal sensitive, commercial etc
  • Financial or non-financial value

Your auditor will expect to see an inventory or inventories covering all relevant assets that fall within the scope of the ISMS. Each one must have a specific owner and classification. Our platform makes it easy to manage that and more.

Everyone we helped go for an ISO 27001 audit passed first time. You could too.

Who owns the asset and what are their ISO 27001 responsibilities?

The asset owner is the person responsible for making sure that, at minimum, the asset’s:

  • Correctly inventoried, classified and protected
  • Classification and access restrictions are periodically reviewed
  • Handled correctly when the time comes to delete or destroy it

Note that the asset owner is not necessarily its legal or physical holder.

Assigning asset responsibilities

The asset owner sets the asset’s protection requirements in line with their organisation’s policies and standards. They can delegate its day-to-day management responsibilities (e.g. updating inventories, carrying out audits, etc). But they’ll still be ultimately responsible for it.

With our platform, it’s easy to assign asset owners and set automatic review date alerts. That’ll link to all the other information that defines each asset too, giving you a 360 degree view of everything you need to make sure they’re all properly managed.

Ready to take action?

How does the ISO 27001 asset inventory relate to GDPR?

To comply with the General Data Protection Regulation (GDPR) your organisation must:

  • Keep an inventory of systems holding and processing personal data
  • Identify, assess and treat any risks surrounding that personal data

Following the ISO 27001 approach to asset and risk assessment makes it easy to meet GDPR’s requirements too. If you’re worried about GDPR, or need to meet other regulations like POPIA or CCPA, we’ve already done most of the heavy lifting for you.

Take the right approach to GDPR with

Should you use a template or tool to manage your asset inventory?

There are many sample templates for asset inventories and registers available. They’re usually based on simple spreadsheets, so are easy to understand and use. That can make it tempting to save money and build your own.

But while spreadsheets are great for basic tasks like financial modelling, they have their limits. Because they’re static documents they’re not the best platform for asset inventories. They can’t help you show how each asset links to:

  • Any risks you’ve identified
  • The policies and controls that address them
  • Your ISMS’ other dynamic content

Or you can take a longer-term view and invest in a specialist asset management tool. But they’re often complex and detail heavy. Information asset management could well become a full-time job in its own right. And you’ll still need to link your tool with the rest of your ISMS.

Choosing the right ISMS platform

Instead of reaching for a spreadsheet or a stand-alone specialist tool, we’d recommend looking for an ISMS platform that includes its own asset inventory tool. It should:

  • Come pre-configured, but be easy to customise with your own classifications
  • Let you assign asset owners, and asset management due dates and reminders
  • Dynamically capture evidence for internal and external audits in one secure location

It should also let you assign values to your assets. That’ll help you prioritise risk assessments and assess the potential impact of any security incidents, events or breaches. And you should be able to link through to your risk treatment plan and beyond.

That’s the kind of linking lets you do. You can move from an information asset, to a risk it faces and to the control that treats that risk. Then you can jump from that control to your Statement of Applicability, updating it with the justification for its implementation.

It really is that simple.

See our simple, powerful platform in action

What’s next?

Buying in or building your own spreadsheet-based asset inventory might seem cost-effective. Sophisticated specialist tools can look like they’ll solve all your problems. But in the long run both will be harder to manage and challenging to coordinate with other parts of your ISMS, especially if you’re aiming for ISO 27001 compliance or certification.

If you’re after the best of both solutions, we’d recommend taking a look at our all-in-one ISMS platform. We balance just the right amounts of sophistication, sustainability, simplicity and affordability to help you create the simplified, secure, sustainable ISMS you need.