You will often hear us say that you cannot protect what you don’t understand. In part, this is what this control is all about. It’s about building an inventory (aka a ‘list’) of information and other associated assets.
But what does this mean in practice?
What does the standard require?
The standard states that “An inventory of information and other associated assets, including owners, should be developed and maintained.” (A5.9 Inventory of information and other associated assets)
What you’re being asked to produce here is a list of ‘assets’ that relate to information. Without this information you are clearly going to be at risk, because you won’t know where your data is and therefore it is not secured.
It’s important to note that this control is looking for TWO things, not one. You need to identify ‘information and OTHER associated assets’. This means you need to consider both physical informational assets as well as technical assets. To keep things simple, your asset register should include the following;
· Laptops
· Mobile phones
· Servers
· Software licences
· Cloud services (Software As A Service (SaaS))
As always, it is important to note that you should not only develop this list, but it needs to be maintained. Meaning that you need to device a way to keep this information up to date (how regular you do this depends on the size and complexity of your business).
Why is this required?
As we have already said; you can’t protect what you don’t understand. You need to know what is important to you and your business, and know where your information assets are so that you can then identify risks associated to these assets and then apply appropriate security controls to them.
So what do you need to do? Where do we start?
It’s not as difficult as it may first appear.
What the auditor is looking for
The auditor will be looking for some form of asset inventory, list or register that is being maintained in a structured or regular way. They will also want to see that each asset has an assigned owner.
What you need to do
Start by identifying your most critical, and most obvious assets. This would include;
Laptops
Mobile phones
Tablets
Servers
Printers
Use a spreadsheet to capture the name of the asset, any serial number they have, and the owner. It is not unusual for your IT function to have this information already, so this may be relatively easy to collect.
This list will prove invaluable when it comes to the exit process which is covered in detail in “A5.11 Return of Assets”, and “A6.5 Termination or change of employment responsibilities”
Once you have collected this information, you should move on to collecting information about software licences in your business. Again, add this to your inventory and assign an owner to it. Provide a description of the asset so that you know what it relates to, so that you can identify any risks associated to it.
The purpose of identifying assets is so that you know what is being used in your business, and you can understand the risks to it. With software assets, you might discover that you’re using an application or platform that is not supported or has come to ‘end of life’ which means that there are no further software or security updates provided.
If you've got this far, you're on a roll! You can continue to build your asset register with other assets that need to be catalogued and protected such as Intellectual Property. This could include patents, trademarks and designs etc.
In one organisation that we worked with, we carried out this review and collection of information, and after speaking to the IT team we discovered that an old version of Windows was still being used on a number of servers. This was due to proprietary software being developed which was built specifically for that platform. But this left the business at considerable risk. We needed to consider if the business was willing to live with the risk, and then develop a plan to migrate to a more secure platform (spoiler: The Senior Leadership Team were not aware of the risk and immediately agreed to update the platform and system).
If you’re lucky enough to have someone responsible for Data Protection, then they might have developed a ‘Records of Processing Activities’ (RoPA) which is currently a mandatory document under current Data Protection regulations. This RoPA will contain a list of all informational assets in your organisation, but designed with a focus on the data that is processed in your organisation.
This is a fantastic resource, so if you have a RoPA make sure to reference this within your evidence and work closely with your Data Protection Officer to ensure this list is shared and supported by your physical and technical asset register.
Q & A
How often should the list be updated?
Sorry, but that really is a ‘it depends’ answer. It depends how many assets you have, and how regular they are allocated and returned. If you’re a small business, then you won’t be buying new devices or signing up to new data stores on a weekly basis. Therefore a quarterly review might be ok. But if you are a larger business, you may find that your asset register becomes out of date rather quickly.
The auditor will need to know it is maintained, so do what works for you and settle into a pattern of review that makes sense to you.
Why do we need to classify the assets?
You should ensure you apply a classification scheme to your assets because without some form of classification, you won’t know which assets need additional controls or focus. This doesn’t have to be an exhaustive list. Think about how important the asset is to you, or how significant the impact would be, if you lost that asset. For example, a laptop might sound like an important asset, but as long as the data is stored on the Cloud or a Server, then the value of the asset is relatively low. However, “Payroll Data” which is identified on your RoPA would be classified as ‘Significant’.
Is it possible to get this wrong?
The answer is always “Yes”. Ignoring this control is not acceptable. You must have some form of asset register. But start simply. Start with your physical assets, and then build on this to capture the information related to data. Speak to your IT team as they will most likely have a list of devices that they have purchased for your team, then speak to your team and collect the necessary information (such as serial numbers etc).
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires a little if any technical skill to understand the requirement. This control requires you to build a list of assets, which is based on information the business can provide to you.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.