ISO 27001:2022 A 5.9 Inventory of information and other associated assets

Uncategorized 10 Minutes

Audio version of the article

An asset is an item of value. An asset is defined as “Any item of economic value owned by an individual or corporation”. An information asset management has a long history in business continuity planning (BCP), disaster recovery (DR), and incident response planning. The first step in any of those processes involves identifying critical systems, networks, databases, applications, data flows and other components that need protection. If you do not know what needs protecting or where it resides, then you cannot plan for how to protect it. Asset and data management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in the organization to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management.The purpose of this control is to identify the organisation’s information and other associated assets in order to preserve their information security and assign appropriate ownership. The control requires taking an inventory of all information and other associated assets, classifying them into distinct categories, identifying their owners, and documenting the controls that are or should be in place. This is a crucial step toward ensuring that all information assets are adequately protected.

.An inventory of information and other associated assets is a list of everything an organisation stores, processes, or transmits. It also includes the location and security controls for each item. The goal is to identify every single piece of data. This is a list of information assets that an organisation owns, including fixed assets such as property and equipment, as well as intangible assets such as personal data. Creating such an inventory is essential for managing assets and, by extension, mitigating against information security risks. This can be used to identify gaps in the Information security program and identify vulnerabilities during the risk assessments that could lead to a breach. It can also be used as evidence during compliance audits that you’ve done due diligence in identifying your sensitive data, which helps you avoid fines and penalties. The inventory of information assets should also include details of who owns each asset and who manages it. It should also include information about the value of each item in the inventory and how critical it is to the success of the organisation’s business operations. It is important that inventories are kept up-to-date so that they reflect changes within the organisation.

Control

An inventory of information and other associated assets, including owners, should be developed and maintained.

Purpose

To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership.

ISO 27002 Implementation Guidance

Inventory

The organization should identify its information and other associated assets and determine their importance in terms of information security. Documentation should be maintained in dedicated or existing inventories as appropriate. The inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories. Options for ensuring accuracy of an inventory of information and other associated assets include:

  1. conducting regular reviews of identified information and other associated assets against the asset inventory.
  2. automatically enforcing an inventory update in the process of installing, changing or removing an asset.

The location of an asset should be included in the inventory as appropriate. The inventory does not need to be a single list of information and other associated assets. Considering that the inventory should be maintained by the relevant functions, it can be seen as a set of dynamic inventories, such as inventories for information assets, hardware, software, virtual machines (VMs), facilities, personnel, competence, capabilities and records. Each asset should be classified in accordance with the classification of the information associated to that asset. The granularity of the inventory of information and other associated assets should be at a level appropriate for the needs of the organization. Sometimes specific instances of assets in the information life cycle are not feasible to be documented due to the nature of the asset. An example of a short-lived asset is a VM instance whose life cycle can be of short duration.

Ownership

For the identified information and other associated assets, ownership of the asset should be assigned to an individual or a group and the classification should be identified . A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.

Owner duties

The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:

  1. information and other associated assets are inventoried;
  2. information and other associated assets are appropriately classified and protected;
  3. the classification is reviewed periodically;
  4. components supporting technology assets are listed and linked, such as database, storage, software
    components and sub-components;
  5. requirements for the acceptable use of information and other associated assets are established;
  6. access restrictions correspond with the classification and that they are effective and are reviewed periodically;
  7. information and other associated assets, when deleted or disposed, are handled in a secure manner and removed from the inventory;
  8. they are involved in the identification and management of risks associated with their asset;
  9. they support personnel who have the roles and responsibilities of managing their information.

Other information

Inventories of information and other associated assets are often necessary to ensure the effective protection of information and can be required for other purposes, such as health and safety, insurance or financial reasons. Inventories of information and other associated assets also support risk management, audit activities, vulnerability management, incident response and recovery planning. Tasks and responsibilities can be delegated (e.g. to a custodian looking after the assets on a daily basis), but the person or group who delegated them remains accountable. It can be useful to designate groups of information and other associated assets which act together to provide a particular service. In this case, the owner of this service is accountable for the delivery of the service, including the operation of its assets. See ISO/IEC 19770-1 for additional information on information technology (IT) asset management. See ISO 55001 for additional information on asset management.

An organization should identify assets relevant in the life cycle of information and document their importance. The life cycle of information should include creation, processing, storage, transmission. deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate. The asset inventory should be accurate, up to date, consistent and aligned with other inventories. For each of the identified assets, ownership of the asset should be assigned and the classification should be identified. Inventories of assets help to ensure that effective protection takes place, and may also be required for other purposes. such as health and safety. insurance or financial (asset management) reasons. ISO provides examples of assets that might need to be considered by the organization when identifying assets. The process of compiling an inventory of assets is an important prerequisite of risk management.Individuals, as well as other entities having approved management responsibility for the asset life cycle, qualify to be assigned as asset owners. A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset life cycle. The asset owner should:

  1. ensure that assets are inventoried.
  2. ensure that assets are appropriately classified and protected.
  3. define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies.
  4. ensure proper handling when the asset is deleted or destroyed.

The identified owner can be either an individual or an entity who has approved management responsibility for controlling the whole life cycle of an asset. The identified owner does not necessarily have any property rights to the asset. Routine tasks may be delegated e.g. to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner. In complex information systems, it may be useful to designate groups of assets that act together to provide a particular service. In this case, the owner of this service is accountable for the delivery of the service, including the operation of its assets.

You need to identify the information and other associated assets within your organisation. Then you should determine the importance of these items in terms of information security. If appropriate, documentation should be maintained in dedicated or existing inventories. The approach to developing an inventory will vary depending on an organisation’s size and complexity, its existing controls and policies, and the types of information and other associated assets that it uses. The inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories. Options for ensuring accuracy of an inventory of information and other associated assets include:

  • conducting regular reviews of identified information and other associated assets against the asset inventory;
  • automatically enforcing an inventory update in the process of installing, changing or removing an asset.

The location of an asset should be included in the inventory as appropriate. Some organisations may need to maintain several inventories for different purposes. For example, some organisations have dedicated inventories for software licences or for physical equipment such as laptops and tablets. Others may have a single inventory that includes all physical equipment, including network devices such as routers and switches. It is important that any such inventories are regularly reviewed to ensure that they are kept up-to-date so that they can be used to assist with risk management activities.

In order to effectively manage an organization’s assets, you must first understand what assets you have and where your organization keeps them. Some asset examples are IT hardware, software, data, system documentation, and storage media. Supporting assets such as data center air systems, UPS’s, and services should be included in the inventory. All assets should be accounted for and have an owner. If improperly managed, assets can become liabilities.

  • Categorize your assets. Begin by defining distinct categories of the types of assets in the organization. Each category should have its own inventory or classification structure based on the assets that category may contain. (Category: Data Center Hardware)
  • Create a list of assets for each category. Creating a list of an institution’s assets and their corresponding locations is the beginning of your inventory. Often, the process of doing so helps identify additional assets that previously had not been considered.(Category: Data Center Hardware; Asset: Core Network Switches)
  • Add a location for each asset. The location could be a brick and mortar physical location such as a classroom, data center or office. It could also be collaborative research materials on a file share or financial information stored in a database. (Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 001)

Because assets can be many things and serve multiple functions, there will likely be more than one inventory process or system used to capture the range of assets that exist in an organization. Make sure you connect with other areas to see what form of hardware inventory already exists. Don’t start from zero. Each inventory system should not unnecessarily duplicate other inventories that may exist.

Asset Responsibility/Ownership
Once you have begun to capture an inventory of the potential assets and their locations, start identifying the responsible person for each asset. An owner is a person, or persons or department, that has been given formal responsibility for the security of an asset. The owner is responsible for securing the asset during the life cycle of the asset. At this juncture in the exercise, it is important to understand the distinction between the terms “owner” and “custodian” of assets. The custodian is responsible for ensuring that the asset is managed appropriately over its life cycle, in accordance with rules set by the asset owner. The custodian is often a subject matter expert (SME) or “owner” of the business process for a particular information asset. An owner of an information asset, Data Owners if you will have direct operational responsibility for the management of one or more types of data. Think of it in terms of an information security department. You have the “owner”, the person responsible for interpreting and assuring compliance. That would be the Director or CISO. Then there is the custodian, the person responsible for the day-to-day operations and management of the tools and processes that protect the information assets. Identifying the owners will help determine who will be responsible for carrying out protective measures, and responding to situations where assets may have been compromised. You will also quickly realize when it isn’t clear who the appropriate responsible party is or when shared responsibility may be an issue. (Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 01; Owner: Director XYZ) The owner of the assets should be able to identify acceptable uses or provide information on which policy governs its acceptable use. Work with the responsible owner, if need be, on acceptable uses. The acceptable uses should include items such as who assumes the risk of loss, gives access to the asset and how a critical asset is kept functional during or after a loss. Policies governing the use, preservation, and destruction of hardware may originate from your asset management office. Many organizations also find it helpful to document expectations for the acceptable and responsible use of information technology assets in an Acceptable and Responsible Use Policies.The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:

  1. information and other associated assets are inventoried;
  2. information and other associated assets are appropriately classified and protected;
  3. the classification is reviewed periodically;
  4. components supporting technology assets are listed and linked, such as database, storage, software components and sub-components;
  5. requirements for the acceptable use of information and other associated assets (see 5.10) are established;
  6. access restrictions correspond with the classification and that they are effective and are reviewed periodically;
  7. information and other associated assets, when deleted or disposed, are handled in a secure manner and removed from the inventory;
  8. they are involved in the identification and management of risks associated with their asset(s);
  9. they support personnel who have the roles and responsibilities of managing their information.

Physical and Environmental Asset Importance
All assets add value to an organization. However, not all assets are created equal. Gaining a clear understanding of the relative importance of each asset when compared to other organizational assets is an essential step if you are to adequately protect your assets. The importance of an asset can be measured by its business value and security classification or label. Create a rating system for the asset. It can be as simple as (highest to lowest)

1 – critical is always available and protected
2 – very important this asset is available and protected
3 – important if this asset is available and protected
4 – good if this asset is available with minimal protection
Building on the previous example and adding a rating system, it would look like. (Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 01; Owner: Director XYZ; Rate: 1 (Critical)) A computer kept in a cafeteria for the purpose of recreation may have a lower score given it is good that the asset is available. The computer kept in the finance dept may be protected with anti-virus and firewall.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply