Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
BLOGS

How Do You Meet the Asset Management Requirements of IS0 27001?

|
|
|
TRENDING
PUBLISHED on
19
July
2022
Table of contents
SUMMARY

In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.

Establishing Asset Registers

When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:

  • Asset type
  • Asset owner
  • Asset classification
  • Asset location
  • Asset impact levels in relation to confidentiality, integrity and availability

Establishing Asset Types

URM suggests the following basic segregation of assets:

  • Information assets
  • Supporting assets
    –  hardware
    –  software
    –  people
    –  buildings
  • Intangible assets (e.g., brand and reputation).

Identifying Asset Owners

In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.  

Asset owners are responsible for:

  • Identifying risks to the asset type
  • Providing guidance and instructions on how the asset should be used.
  • Identifying levels of protection required depending on the asset classification.
  • Implementing and verifying the effectiveness of security controls in respect of that asset type.

Assigning Asset Classifications

Depending on the organisational structure, it would typically be the asset owner who would decide asset classification.  The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.

Assigning Impact Levels

As with classification, impact levels need to be assigned by the asset owner.  Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.

Learn more
Learn more
Learn more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Recent blogs
Analysis of Enforcement Action by the ICO in 2025 – Actions Way Down, Security Data Breach Fines Way Up
Ten Top Tips for Achieving GDPR Compliance
Minimising the Impact When a Breach Occurs
Strengthening Your Cyber Defences: Practical Steps for Every Business
ISO 27001 Control 8.17: Why Clock Synchronisation Is Critical for Security and Conformance
How URM can help?
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
Consultancy
Assess Your DORA Compliance Readiness

Unsure whether your ICT risk framework meets DORA standards? Our experts will carry out a detailed gap analysis and provide clear, prioritised steps to help you achieve full compliance.

Read more
Consultancy
Understand the 5 Pillars of DORA

Our consultants will evaluate your organisation against DORA’s core requirements. Gain practical insights to strengthen your digital resilience and meet regulatory expectations.

Read more
URM is renowned for helping organisations to achieve the optimum balance when implementing an ISMS.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
16/12/2025
ISO 27001 Control 8.17: Why Clock Synchronisation Is Critical for Security and Conformance

Read URM’s blog, where we explore the importance of clock synchronisation for cyber security and resilience, and how to meet the requirements of Control 8.17.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How Do You Go About Your ISO 27001 Information Classification?

This blog talks about information classification. So, what exactly do we mean by information classification?

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
18/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)

URM’s blog explores the ISO 27001 business continuity controls, why they matter, & how they can be effectively implemented to ensure conformance to the Standard

Read more
"
Leanr more about
URM Services
I am pleased to share my experience with the Cyber Essentials Plus (CE+) Scheme. This certification has been invaluable to Case Pilots in helping us protect ourselves from cyber threats. The comprehensive and user-friendly process provided by URM Consulting gave me a deep understanding of the latest threats, vulnerabilities and best practices in cyber security. The assessors were highly knowledgeable, experienced and able to explain each step of the process clearly and concisely. What I particularly appreciated about the CE+ scheme was its relevance to the real world. The training covered not only the fundamental principles, but also advanced techniques and strategies that are used by professionals to protect their systems and data. Achieving the certification demonstrates to our clients that we are committed to cyber security and that we have the knowledge and skills to protect their data. I highly recommend the Cyber Essentials Plus Scheme to any organisation that is serious about cyber security.
Clinton Smith, Case Pilots
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.