How Do You Meet the Asset Management Requirements of IS0 27001?
PUBLISHED on
19
July
2022
In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection responsibilities, as well as ensuring that information receives an appropriate level of protection in accordance with its importance to the organisation.
Establishing Asset Registers
When compiling your asset registers or inventories, it is recommended that you record the following information for each information asset:
- Asset type
- Asset owner
- Asset classification
- Asset location
- Asset impact levels in relation to confidentiality, integrity and availability
Establishing Asset Types
URM suggests the following basic segregation of assets:
- Information assets
- Supporting assets
– hardware
– software
– people
– buildings - Intangible assets (e.g., brand and reputation).
Identifying Asset Owners
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets.
Asset owners are responsible for:
- Identifying risks to the asset type
- Providing guidance and instructions on how the asset should be used.
- Identifying levels of protection required depending on the asset classification.
- Implementing and verifying the effectiveness of security controls in respect of that asset type.
Assigning Asset Classifications
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification. The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
Assigning Impact Levels
As with classification, impact levels need to be assigned by the asset owner. Determining the impact levels of assets can be relatively complex, but in essence, the impact level will be inherited by the information contained on or within the asset.
How URM can help?
Consultancy
Assess Your DORA Compliance Readiness
Unsure whether your ICT risk framework meets DORA standards? Our experts will carry out a detailed gap analysis and provide clear, prioritised steps to help you achieve full compliance.
Read more
Consultancy
Understand the 5 Pillars of DORA
Our consultants will evaluate your organisation against DORA’s core requirements. Gain practical insights to strengthen your digital resilience and meet regulatory expectations.
Read more
Consultancy
Achieve Full DORA Compliance with Confidence
Close your compliance gaps with expert support. We’ll deliver tailored, actionable recommendations to ensure you meet DORA requirements and protect your operations.
Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
related BLog posts
Information Security
Published on
20/9/2024
ISO 27002, the Unsung HeroURM’s blog explains what ISO 27002 is, how it can benefit your organisation, & how you can use it to support your implementation of an ISO 27001-conformant ISMS
Read more
Information Security
Published on
5/11/2024
Developing an ISO 27001 Information Security PolicyURM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.
Read more
Information Security
Published on
27/7/2022
Difference Between Certified and Compliant ISO 27001 ISMSThere is some confusion about the difference between having an ISMS which is certified to ISO 27001 and one which is compliant or aligned to the Standard.
Read more
Helpful synopsis of current issues and gaps (which I agree with!). Thank you
Webinar 'GDPR - Back to Basics'
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.