ISO 27001 is all about information security. So people usually think it’s IT focussed. Up to a point, that’s true. But working through the standard can have much wider implications. We see it as a way of fine tuning your whole organisation’s way of working.
We’re launching a series of blog posts highlighting some of the standard’s most practical recommendations. We’re starting with ISO 27001’s Annex A.8, which is all about information assets.
It’ll help you do far more than just make sure your digital storage systems are secure. We’ll give you the ISO 27001 perspective on:
- What information assets are
- Why you need to keep them safe
- How you protect them (and any portable media they’re stored on)
So what is an information asset?
Most people assume it’s just a list of the hardware your organisation owns. But it’s actually any information that has value to your organisation, no matter where or how it’s stored, or what form it takes.
Why do I need to keep my information assets safe?
Some information assets are very obviously important. If a virus attacked your financial records, you’d have big problems.
Others are less obvious, but still essential. Imagine what would happen if a virus corrupted all your branded document templates. Anything you sent out, from an email to a new business proposal, would look very amateurish until your designers replaced them.
And information assets don’t have to be digital. Perhaps there’s only one person who really understands your payroll system. If they leave, the end of every month will suddenly become a lot harder. Their payroll knowledge is a vital information asset.
Or maybe your organisation owns a patent that’s about to expire. If you can’t renew it, you’ll lose an important competitive advantage. That patent is also an information asset you need to protect.
How do I protect my information assets?
Start by defining what you need to protect. Create an information asset inventory. For each asset make a note of:
- Who’s responsible for it
- What it can be used for
- How it’s returned if its owner leaves
Once that’s done, work out how much and what sort of protection each asset needs. ISO 27001 recommends a three-stage process.
First of all, classify each of your information assets by their:
- Legal needs to be looked after in particular ways
- Financial value and importance to your organisation
- Potential for damaging your organisation if shared or modified without permission
Then create a labelling system to make sure your colleagues or suppliers always understand:
- When they’re dealing with an information asset
- What kind of information asset it is
Finally, tell people how to use and look after them. Create and share policies for handling your organisation’s different asset types. Clearly link those policies to your labelling system.
What about assets stored on portable media?
Portable media like phones, laptops or memory sticks can be easily lost, stolen or forgotten. You need to make sure people look after them as well as the assets they hold.
For each piece of removable media, pin down how you’ll:
- Classify and manage it
- Protect it if and when it’s moving around
- Safely dispose of it when it’s no longer needed
What does all that add up to?
We hope you now understand what information assets are, and why and how to protect them. You’ve also seen how ISO 27001 approaches them. The standard’s guidance is actually quite simple, though it can be challenging to bring to life for a complex organisation.
That should give you a useful new perspective on your own organisation’s information assets, and any systems that protect them. It’ll give you a taste of how working towards ISO 27001 compliance or certification could have wide-ranging benefits for your organisation.
It might also be a bit daunting! Working towards ISO 27001 can be a big challenge. But we’re very used to helping people to ISO 27001 success. If you’ve got a moment, we’d love to show you how simple that could be and what it could do for your organisation.