Often companies when you start talking about asset management you find that companies don't really have a proper asset list, sure they may have a list of capitalised items they have bought that have been added to the 'asset list' but all that is, in reality, is just a set up in the finance ledger to capture depreciation – that's not an asset list. And your Information security management system (ISMS) shouldn't accept it.
Our conversations on asset management tend to go in three specific directions:
- The finance department are responsible for managing the asset list and so this is a topic for them since they keep it under tight control in the finance system (or spreadsheet on a shared drive).
- Asset management is the responsibility of the maintenance department (they keep things running and fix the breakdowns after all).
- We have no asset management at all.
It is important to be clear, ISO27001's view and your view on what an asset is are probably going to be different. An asset is anything that that may have current or future value to the company (or the competition!) it may be able to create a cashflow or reduce losses, improve sales, or just generally give you an advantage in some way. Right now, you are thinking about equipment – which may be everything from extrusion machine used to make wire to a mobile phone in your pocket, buildings and possibly vehicles. What about patents? Are these on your asset list? Where are you capturing that valuable IP that you keep creating? What about your R&D records? Test results, laboratory testing information, key people or founding partners who have the knowledge of what you do in their heads? Don't you think it would be good to have a list of everything? Including what type of information asset, it is?
A8.1 – Responsibility of assets
ISO27001 for your ISMS The requirement around the responsibility of assets is to make sure you know exactly what you have, who has it and how you keep it. It is split into 4 sections:
- A8.1.1 Inventory of Assets – As we have mentioned before your asset register or inventory is not the same thing as a depreciation list, you tend not to see to many patents depreciate! The control requirement here is that you need to create a formal inventory of all your assets linked to information and information processing facilities. In other words, your business. You need to identify each asset and you need to maintain this list, pulling out once per year 2 days in advance of an audit doesn't count as maintenance. For this list you have the obvious stuff but also think about the less obvious, yes you have PC's, laptops, phones, tablets , network drives you also now have cloud drives, SAAS systems, whiteboards, flip charts and no many other places that can hold information, list them all and track them all.
- A8.1.2 Ownership of assets – as part of your register identify who actually owns the information, yes ultimately your company (unless you hold others information as well) but you can also assign it to departments
- A8.1.3 Acceptable use of assets – for each item you need to decide how it will be used, and how it won't. You need to document that and ensure people know the rules
- A8.1.4 Return of assets – how often does someone leave an organisation and take their phone or laptop with them? Do you clean them of information before they go? You have a requirement to have processes in place to ensure you get back any information that is in the possession of employees when they leave but also think contractors, suppliers etc when you stop working with them.
A8.2 – Information Classification
Not all information is equal, some is only for the likes of 007 himself and some can be shared with the general public, there is a range, and you need to define that range and then classify things accordingly and the ISO27001 information security management standard has some requirements for you.
- A8.2.1 – Classification of information as we have said you need to group your information into classifications which then allows you to decide what to do with it. The standard says it shall (ISO for you will do this) be classified into legal, value, criticality and sensitivity to unauthorised disclosure or modification.
- A8.2.2 – Labelling of Information is then probably not a surprise given that you now have your information classified the standard says you need to label it as such and that should go hand in hand with your asset register, and it is probably a good idea everyone understands the labelling hence you need to write a procedure on this.
- A8.2.3 – Handling of Assets says you will create a procedure on how you handle that information classification, who gets access to what, what the highest to lowest level of classification is and so forth.
A8.3 Media Handling
The final section of ISO27001:2013 Clause A8 for information security Management systems (to give it it's full title) is around how you handle information that is stored on media, any media. It may be on USB, CD, DVD, Blue Ray, Floppy disc (anyone remember them?) tape drives, hard drives, paper, white boards, flip charts well, you get the idea. There are 3 sections you need to think about:
- A8.3.1 - Management of removable media is about setting up your procedures around exactly how you will manage your classification scheme you developed in A8.2 when it comes to media that is effectively mobile. What things are in place to ensure secret stuff isn't on a USB walking out the door?
- A8.3.2 - Disposal of media is your next challenge. How will you securely dispose of your media when you don't need it any more? How do you get ride of the USV's, hard drives or flip charts in a way that means the information you want to keep to yourself is not available to anyone else?
- A8.3.3 – Physical media transfer is your final element of clause A8 of your information security management system. It is asking you to come up with a way that means you are protected against unauthorised access, misuse, or corruption when your information is being transported around. That isn't always as easy as it sounds and the methods you use will vary on what type of information you have being transported.
Understanding exactly what your information assets are is a critical step for any organisation, most organisations embarking on their ISO27001 implementation find this requirement a bit of a challenge. It doesn't have to be, it can be quite interesting and eye opening for everyone the amount of actual value you have in information within your organisation.