Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.8: Asset Management

Asset management in ISO 27001 aims to identify relevant company assets and assign roles to manage their security, the designated person must also know how to handle these assets based on predefined guidelines.

A.8.1 Responsibility of asset

The aim here is to identify appropriate information assets related to the ISMS and assign various responsibilities to ensure their protection.

A.8.1.1: Inventory of assets

An inventory of all the assets associated with information and information facilities in your organization must be recorded. The assets should be considered throughout their life cycle. In other words, an asset is recorded from its moment of creation while it is being processed, stored, passed on, deleted and then destroyed.

Remember that computers, hardware brandmarks, staff, client details, and intellectual property are all relevant assets for information security with each asset having an owner, confirming its inventory classification, revision and protection.

Assets need to be assessed in terms of its usefulness to your company. Understand how this item important and group asset is according to their nature. They may be physical, digital, intangible etc. It must also have a category that should be done based on their legal and financial value and the level of threats involved with their use.

Ensure that your inventory is well labelled, updated, free of errors and compliant with other records available. Asset inventories are also valuable for those interested in the general data protection regulation (GDPR) as the standard requires a record of all personally identifiable assets and the risks associated with them. These are all included in the asset inventory and risk management section of your ISMS.

A.8.1.2.: Ownership of assets

As stated before, the asset owners are the person deemed responsible for maintaining its good standing. Some assets have departmental owners while others are more specific items and have individual ownership. Though the owner may change throughout the life cycle, the responsibilities will be the same. The beauty of team effort is that the work gets shared so while the asset owners is responsible for monitoring its status, they can appoint others to take care of some of those tasks.

A.8.1.3: Acceptable use of assets

Not all employees, contractors or third parties should have access to every piece of company information. In. An acceptable use policy defines the terms for each of these individuals to gain access to specific information assets and the rues related to the use of these assets. The details of this regulation should be spread across the board so that all associates receive a copy.

A.8.1.4: Return of assets

This section coincides with terms implemented in annex A.7.3, A.13.2.4 and A.15. All assets formally under the possession of an employee, contractor or third party must be returned to the company upon termination of their contract. This must be formally documented to show details and if an asset has not returned, the owner must record it as a security incident, which will be addressed using A.16(incident management).

Sadly, this is a common issue with the return of assets policies, hence the need for constant revisions and audits to improve the information security system.

A.8.2 Classification

All forms of information should receive an adequate level of protection based on their value to your organization.

A.8.2.1: Classification of information

Information assets should be classified according to at least the following criteria:

  • Financial value
  • Legal obligation
  • Sensitivity or risk level?
  • What would the implication of its disclosure mean to you?

Management can opt to add more categories to the criteria to make classification easier, all conditions, however, should refer back to the importance of the asset for your business needs. The asset owner will use this checklist and the threat or vulnerability information gathered from your risk assessment to classify the item.

Different firms have different classification standards generally, they follow the top-down structure. 1. Confidential, 2. Restricted, 3. Internal use, 4. Public. If your company works with multiple third-party sectors, you may perform an individual classification for each scenario.

A.8.2.2: Labelling of information

Typically, asset owners will also be responsible for correctly labelling their items. You should create a system of labelling that goes hand-in-hand with your classification guidelines, for example, the owner of specific medical documentation will then list it as confidential.

Decide upon a standard for labelling assets as well. You could opt to have all owners insert their listings at a particular position on all items. You could also add specifications for all items under a particular category to use a de facto label, for example, all legal assets, regardless of their nature, will automatically be considered restricted. Other assets will need a labelling criterion to identify their correct classification and label.

A.8.2.3: Handling of assets

This is the part that takes the most time when dealing with assets, your ISMS must contain guidelines on how to protect and preserve company information. They must have assigned different conditions to store specific data types, for example, internal use paper files can be kept in locked airtight cabinets within their departments.

Consider setting restrictions for persons allowed to handle these records and there should also be regulations in place for those who are authorized to transfer this kind of information.

  • What is the safest way to have these data transmitted from one party to another?
  • How will you safeguard that transmission?

If your data transfer involves a transaction, say, via a postage service, a good idea would be to request a receipt. Document all these stipulations in your company’s information classification policy.

A.8.3 Media Handling

As the owner of confidential data, it is your duty to ensure that all media is protected from unauthorized disclosures, changes, deletion, or destruction.

A.8.3.1: Management of removable media

People only get rid of things that are worthless, right?

Not quite. You’ve probably heard of the saying one man’s trash is another man’s treasure. It’s common for companies to deem equipment and other assets not useful once they have been a few years on the shelf or a new update arrives.

But have you ever wondered if your files were wiped from that old system?

How can you guarantee that your data is still safe and only within the bounds of your organization, carelessness can cost you your reputation and the lives of thousands of others?

Working in conjunction with annex A.11.2.7, which states that every piece of stored media must be examined to confirm that it is rid of any delicate information before disposal or reuse.

An appropriate disposal and destruction policy will cover the bases for rendering media reusable for the business. All media, including those recovered, should be stored safely and securely as directed by their respective manufacturers, if it is no longer viable, it must be securely removed, deleted and permanently erased.

A.8.3.2: Disposal of media

The following guidelines should be included in the disposal and destruction policy of every company to reduce the risk of unauthorized parties gaining access to confidential data.:

  1. Adequate procedures should be documented by management on how to identify items needing proper disposal. The more confidential the data, the more urgent the need to dispose of it securely.
  2. In some circumstances, it might be simpler to collectively destroy different media than to single out each kind for disposal.
  3. All media containing confidential data must be appropriately destroyed using a shredder or incinerator. If the media is to be reused by the organization, the data must first be erased from its memory.
  4. Some companies offer to handle media disposal for external firms, if this interests you, be very cautious when choosing an experienced company to deal with your confidential data records.
  5. You must take inventory of all disposed of confidential records, especially for regulatory and audit purposes.

A.8.3.3: Physical Media transfer

All media storage devices containing delicate information must be protected against unauthorised access, misuse or corruption when being transferred.

Consider the following:

  1. Only experienced couriers with a track record for reliability should be used and a list of authorized couriers and transports should be documented for reference.
  2. . Packaging should provide media with enough protection to safeguard them against damage during transportation facilitated in compliance with the regulations indicated by their manufacturers.
  3. A log should be kept of all media, in-transit or transferred.