The importance of the Information Asset Inventory for ISO 27001:2013
If you are adopting an asset-based information security risk assessment for ISO 27001:2013, (as well as the ISO 27001:2017 updates) and experts agree it is a robust and pragmatic risk methodology to adopt, then you will be relying on a thorough inventory of all assets in the scope of your information security management system.
An inaccurate asset inventory will lead to an inaccurate risk assessment which, in turn, can lead to poor identification of the controls your organisation needs in place to protect its valuable assets.
Information assets should tie back to your ISMS scope, and the interested parties and internal and external issues you identified whilst addressing the standard’s requirements. You should show a logical progression from those to the assets and an auditor would find it helpful to see the logic applied.
In addition, an ISO 27001 auditor will generally be looking to see that an organisation has a good understanding of what their assets are, their value, their ownership, and their appropriate management.
What should be included in an ISO 27001 asset inventory?
The 2013 version of the standard introduced a distinct change to the ISO 27001 requirements which now expect all information assets to be considered rather than simply physical assets. This includes anything of value to the organisation where information is stored, processed and accessible, but it is the information that is of real interest, less so the network or device per se, although clearly they are still assets and need to be protected:
- Information (or data)
- Intangibles – such as IP, brand and reputation
- People – Employees, temporary staff, contractors, volunteers etc
And the physical assets associated with their processing and infrastructure:
- Hardware – Typically IT servers, network equipment, workstations, mobile devices etc
- Software – Purchased or bespoke software
- Services – The actual service provided to end-users (e.g. database systems, e-mail etc)
- Locations & Buildings – Sites, buildings, offices etc
Any type of asset can be grouped together logically according to a number of factors such as:
- Classification – e.g. public, internal, confidential etc
- Information type – e.g. personal, personal sensitive, commercial etc
- Financial or non-financial value
An auditor will expect to see an inventory, or inventories, that cover all the relevant assets within the scope of the ISMS. Each asset must be assigned an owner and each must be assigned a classification.
Who should the asset owner be and what are their ISO 27001 responsibilities?
The owner is not necessarily the legal or physical holder of the asset but the person that has the responsibility and matching authority to ensure that, at a minimum:
- Assets are inventoried;
- Assets are correctly classified and protected;
- Access restrictions to the asset and its classification are periodically reviewed; and
- Assets are handled correctly when being deleted or destroyed.
Day-to-day responsibilities for asset management (e.g. updating the inventories, carrying out audits etc) can be delegated but the ultimate responsibility for ensuring correct management remains with the relevant asset owner.
It is the asset owner who is responsible for setting the protection requirements for the asset, such as access restriction, in line with organisational policies and standards.
How does the ISO 27001:2013 asset inventory relate to GDPR?
To comply with the General Data Protection Regulation (GDPR) an organisation must keep an inventory of systems that hold and process personal information. It also requires that the risks surrounding personal data are identified, assessed and treated, so following the ISO 27001:2013 approach to assets and risks assessment means it can easily encompass and be aligned to incorporate the GDPR requirements too.
Should you use a template or tool to manage your asset inventory?
There are many example templates for asset inventories/registers available and these follow a simple spreadsheet approach which are just as easy to build yourself.
However, a spreadsheet is a static document and whilst they are great for financial modelling and basic stuff, they are not so good for demonstrating how the asset links to the identified risks, the relevant policies and controls, or the other dynamic work of an ISMS.
A good technology tool for asset inventories will come pre-configured, with the option to customise to suit your own classifications, allow you to assign owners, due dates and reminders and to capture all the evidence required in one secure location.
Click to view a larger image of the Information Asset Inventory we use in the ISMS.online platform
Finally, the best tools will come with the ability to easily link the asset to risks on your risk treatment plan, to your ISMS controls, supply chain and any other actions in the ISMS that demonstrate your assets are well protected.
Click to view a larger image of how we link ISO 27001 work in the ISMS.online platform
In fact, in ISMS.online, using this same powerful linking will take you on a simple journey from information asset, to risk, to the controls needed in the treatment of the risk and then, dynamically from the control to updating the Statement of Applicability with the justification for its implementation. It really is that simple with ISMS.online.
So, building your own asset spreadsheet may have no perceived cost but will have the challenge of much higher management and coordination with the other parts of the ISMS, especially if you are aiming for ISO 27001 certification. Alternatively, you could invest heavily in a specialist asset management tool and get lost in the detail and depth only to find information asset management becomes a fulltime job in its own right. Ultimately, neither of these solutions give you