ISO 27001 - Asset Inventory Solution Design Discussion

Use the Metrici forum to ask questions about Metrici.

To get started, read the About MetriciGetting started with Metrici and About the forum topics.

Signed in as Guest. Join

The 2013 version of the ISO 27001 standard introduced a distinct change to include information assets as well as physical assets. This includes anything of value to the organisation where information is stored, processed and accessible, but it is the information that is of real interest, less so the network or device, although clearly they are still assets and need to be protected:

  • Information (or data)
  • Intangibles – such as IP, brand and reputation
  • People – Employees, temporary staff, contractors, volunteers etc

And the physical assets associated with their processing and infrastructure:

  • Hardware – Typically IT servers, network equipment, workstations, mobile devices etc
  • Software – Purchased or bespoke software
  • Services – The actual service provided to end-users (e.g. database systems, e-mail etc)
  • Locations & Buildings – Sites, buildings, offices etc

Any type of asset can be grouped together logically according to a number of factors such as:

  • Classification – e.g. public, internal, confidential etc
  • Information type – e.g. personal, personal sensitive, commercial etc
  • Financial or non-financial value

An auditor will expect to see an inventory, or inventories, that cover all the relevant assets within the scope of the ISMS. Each asset must be assigned an owner and each must be assigned a classification.

 

To comply with the General Data Protection Regulation (GDPR) an organisation must keep an inventory of systems that hold and process personal information.  It also requires that the risks surrounding personal data are identified, assessed and treated, so following the ISO 27001:2013 approach to assets and risks assessment means it can easily encompass and be aligned to incorporate the GDPR requirements too.

 

 

There are many example templates for asset inventories/registers available and these follow a simple spreadsheet approach which are just as easy to build yourself.

 

However, a spreadsheet is a static document and whilst they are great for financial modelling and basic stuff, they are not so good for demonstrating how the asset links to the identified risks, the relevant policies and controls, or the other dynamic work of an ISMS.

 

A good technology tool for asset inventories will come pre-configured, with the option to customise to suit your own classifications, allow you to assign owners, due dates and reminders and to capture all the evidence required in one secure location.

 

Attached is a sample application.

 

 

I am currently in the process of interpreting and loading the Schema.org schemas into Metrici. It will be useful to see if these could be the basis for an asset inventory, where all the fields conform to this well-known standard. I think that could be appealing to a wide audience, and standardised definitions would be a strong feature of any such system. Once we have the schema converted into Metrici types and fields we can perform a gap analysis to see what can be used from schema.org.

Does the link on this email work?