When it comes to implementing ISO 27001, businesses need to provide a complete asset register as part of their information security management system (ISMS). Having an up-to-date ISO 27001 compatible asset register allows you to undertake risk assessments and delegate tasks to ensure each asset is safely managed and risks are suitably controlled. This also acts as evidence, showing your external auditor that your business protects and preserves its assets and is continually working to mitigate risk. In short, your asset register is a crucial part of your ISMS and is a key component when being assessed for ISO 27001 certification.
Which assets should I include?
You should include both physical and informational assets in your asset inventory, in line with the standard’s focus on information security and risk management. This means you should include assets such as data and intellectual property as well as physical assets like your offices, laptops and computers. A list of asset types we recommend including in your ISO 27001 asset register, no matter your business or industry, is below:
- Physical security systems;
- Licenses;
- Removable media;
- Electronic documentation;
- Physical documentation;
- System software;
- Network equipment;
- Networks;
- Furniture;
- Application software;
- Critical business data;
- Websites and webpages;
- Mobile phones;
- Desktop phones;
- Personnel;
- IP;
- Contracts and agreements;
- Electronic documentation;
- Electronic correspondence;
- Physical correspondence;
- Hardware;
- Laptops;
- Desktop computers;
- Internal services;
- Removable media;
- Outsourced services;
- IP;
- Partnerships;
- Personally identifiable information (PII);
- Electrical equipment;
- Receipts, records and logs;
- Installations/buildings.
Please note that the above list is not exhaustive, so be sure to consider any other asset types associated with your business’s information and information facilities.
What should my ISO 27001 asset register look like?
Below, you’ll see an ISO 27001 asset register example as viewed on the Hicomply platform. The asset name, type, location and owner are all visible, which allows an external auditor to assess your business against Annex A.8.1.1 – ensuring that your register is well-labelled, updated, free of errors and compliant with any other records available.
This can be a difficult task due to the constantly evolving nature of a business’s information and the assets themselves. Hicomply’s information asset management module allows assets to be quickly loaded into your workspace from your own list or our comprehensive library, with locations, asset details and ownership clearly identified. Once you have loaded your assets into the ISO 27001 asset register on the platform, the Hicomply software can also link your assets to other functionalities, such as policy and procedure documentation.
A step closer to implementing ISO 27001
Your asset register is complete, what’s the next step? You can now move on to step four of our six steps to success guide: undertaking risk assessment and task management. This involves assessing the level of risk to each asset and assigning tasks to specific users, or even every user in your business, to ensure appropriate controls are in place.
Ready to automate the administration of your ISMS and achieve ISO 27001 certification with Hicomply? Book your demo today.
