The 2013 version of the ISO 27001 standard introduced a distinct change to include information assets as well as physical assets. This includes anything of value to the organisation where information is stored, processed and accessible, but it is the information that is of real interest, less so the network or device, although clearly they are still assets and need to be protected:
- Information (or data)
- Intangibles – such as IP, brand and reputation
- People – Employees, temporary staff, contractors, volunteers etc
And the physical assets associated with their processing and infrastructure:
- Hardware – Typically IT servers, network equipment, workstations, mobile devices etc
- Software – Purchased or bespoke software
- Services – The actual service provided to end-users (e.g. database systems, e-mail etc)
- Locations & Buildings – Sites, buildings, offices etc
Any type of asset can be grouped together logically according to a number of factors such as:
- Classification – e.g. public, internal, confidential etc
- Information type – e.g. personal, personal sensitive, commercial etc
- Financial or non-financial value
An auditor will expect to see an inventory, or inventories, that cover all the relevant assets within the scope of the ISMS. Each asset must be assigned an owner and each must be assigned a classification.
To comply with the General Data Protection Regulation (GDPR) an organisation must keep an inventory of systems that hold and process personal information. It also requires that the risks surrounding personal data are identified, assessed and treated, so following the ISO 27001:2013 approach to assets and risks assessment means it can easily encompass and be aligned to incorporate the GDPR requirements too.
There are many example templates for asset inventories/registers available and these follow a simple spreadsheet approach which are just as easy to build yourself.
However, a spreadsheet is a static document and whilst they are great for financial modelling and basic stuff, they are not so good for demonstrating how the asset links to the identified risks, the relevant policies and controls, or the other dynamic work of an ISMS.
A good technology tool for asset inventories will come pre-configured, with the option to customise to suit your own classifications, allow you to assign owners, due dates and reminders and to capture all the evidence required in one secure location.
Attached is a sample application.