ISO 27001 - Annex A.8: Asset Management
What is the objective of Annex A.8.1 of ISO 27001:2013?
Annex A.8.1 is about responsibility for assets. The objective in this Annex is to identify information assets in scope for the management system and define appropriate protection responsibilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.8.1.1 Inventory of Assets
Any assets associated with information and information processing facilities need to be identified and managed over the lifecycle, always up to date. A register or inventory of those assets has to be put together that shows how they are managed and controlled, based around their importance (which also dovetails neatly into information classification below). This lifecycle of the information generally includes creation, processing, storage, transmission, deletion and destruction stages.
A.8.1.2 Ownership of Assets
All information assets must have owners. Asset management ownership can be different to legal ownership too, and it can be done at an individual level, department, or other entity. Ownership should be assigned when the assets are created. The asset owner is responsible for the effective management of the asset over the whole of the asset’s lifecycle. They can delegate management of that too and ownership can change during that lifecycle as long as both are documented.
A.8.1.3 Acceptable Use of Assets
Acceptable use of information and of assets is important to get right. Rules for acceptable use of assets is often documented in an “Acceptable Use Policy”. The rules for acceptable use must take into consideration employees, temporary staff, contractors and other third parties where applicable across the information assets they have access to. It is important that all relevant parties have access to the set of documented acceptable use rules and these are reinforced during regular training and information security awareness, compliance related activity.
A.8.1.4 Return of Assets
All employees and external party users are expected to return any organisational and information assets upon termination of their employment, contract or agreement. As such it must be an obligation for employees and external users to return all the assets and these obligations would be expected in the relevant agreements with staff, contractors and others. A solid, documented process is also required to ensure that the return of assets is appropriately managed and can be evidenced for each person or supplier that goes through it – this aligns with the exit controls in Annex 7 for Human Resource Security and Annex 13.2.4 for confidentiality agreements, and Annex A.15 for supplier activity. Where assets are not returned according to the process, unless otherwise agreed and documented as part of the exit process, the non-return should be logged as a security incident and followed-up in line with Annex A.16. The return of assets procedure is never fool proof and this also underlines the need for periodic audit of assets to ensure their continued protection.
An asset management policy and tool is included in ISMS.online
The perfect fusion of knowledge and technology for early ISO 27001 success
Accelerate your ISO 27001 implementation
What is the objective of Annex A.8.2 of ISO 27001:2013?
Annex A.8.2 is about information classification. The objective in this Annex is to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (and interested parties such as customers).
A.8.2.1 Classification of Information
Information must be classified in terms of legal requirements, value, criticality and sensitivity to any unauthorised disclosure or modification, ideally classified to reflect business activity rather than inhibit or complicate it. For example, information made publically available e.g. on a website might just be marked ‘public’ whereas confidential or commercial in confidence are obvious for the information being more sensitive than public.
Information classification is one of the key controls used to ensure that assets are adequately and proportionately protected. Many organisations have 3-4 classification options to allow effective management of the information taking into account its value and importance. It can however be as simple or as complex as required to ensure the correct level of granularity for the protection of assets. Remember if you keep it really simple and have too few classifications that might mean you are over or under engineering controls. Too many classification options is likely to confuse end users on what one to adopt and create additional overhead on the management scheme. As with all controls this one needs to be reviewed regularly to ensure its ongoing fitness for purpose.
A.8.2.2 Labelling of Information
An appropriate set of procedures for information labelling must be developed and implemented in accordance with the information classification scheme adopted by the organisation. Procedures for information labelling will need to cover information and related assets in both physical and electronic formats. This labelling should reflect the classification scheme established in 8.2.1. The labels should be easily recognisable and easy to manage in practice otherwise they will not get followed. For example it could be easier to defacto decide that everything is confidential in the digital systems unless expressly labeled otherwise, rather than get staff to label every CRM update with a commercial in confidence statement! Be clear on where this defacto labelling is being done and document it in your policy then remember to include it in the training for staff.
A.8.2.3 Handling of Assets
Procedures for handling assets need to be developed and implemented in accordance with the information classification scheme. The following should be considered; Access restrictions for each level of classification; Maintenance of a formal record of the authorised recipients of assets; Storage of IT assets in accordance with manufacturers’ specifications, marking of media for authorised parties.
If the organisation handles information assets for customers, suppliers and others, it is important to either demonstrate a mapping policy e.g. customer classification of official sensitive maps to our organisation of commercial in confidence, or that the additional classification would be dealt with in other ways to show it is being protected.
What is the objective of Annex A.8.3 of ISO 27001:2013?
Annex A.8.3 is about media handling. The objective in this Annex is to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
A.8.3.1 Management of Removable Media
Procedures must be put in place for the management of removable media in accordance with the classification scheme. General use of removable media must be risk assessed and it may be necessary to carry out use-specific risk assessments beyond that too. Removable media should only be allowed if there is a justified business reason. If no longer required, the contents of any re-usable media should be made unrecoverable and securely destroyed or erased. All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications and additional techniques like cryptography considered where appropriate (i.e. as part of the risk assessment). Where necessary and practical, authorisation should be required for media removed from the organisation, and a record kept in order to maintain an audit trail.
A.8.3.2 Disposal of Media
When no longer required media must be disposed of securely by following documented procedures. These procedures minimise the risk of confidential information leakage to unauthorised parties. The procedures should be proportional to the sensitivity of the information being disposed. Things that should be considered include; whether or not the media contains confidential information; and having procedures in place which help identify the items which might require secure disposal.
A.8.3.3 Physical Media Transfer
Any media containing information needs to be protected against unauthorised access, misuse or corruption during transportation (unless already publicly available). The following should be considered to protect media when being transported; Reliable transport or couriers should be used – perhaps a list of authorised couriers should be agreed with management; Packaging should be sufficient in order to protect the contents from any physical damage during transit; and Logs should be kept, identifying the content of the media and the protection applied. It should also be noted that when confidential information on media is not encrypted, additional physical protection of the media should be considered.
“The virtual coach is a great addition to ISMS.online. It has all of the information you’d find on a lead implementer course and a whole lot more, I can refresh or improve my knowledge about a particular topic right at the stage I need to, I don’t even need to navigate away from the work I am doing.”
Toby Snell, Compliance at Worldwide Internet Insurance Services
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement