Part 27 - A8 Asset Management
The A.8 clause of Annex A of ISO 27001 is all about managing your business’s assets. It lists some really valuable requirements for any business.
First up - responsibility.
A.8.1 Responsibility for assets
The objective of this sub-section is to identify the assets and then define the responsibilities for protecting them.
In my experience most businesses don’t have any kind of asset register. If they do, it’s likely that the assets are captured in a spreadsheet during a one-off exercise, usually around the end of the financial year. Often the only people to see the list of assets is the Accountant or Finance Manager for accountancy purposes. No one else gets to see it or use it. So, not only are these registers not used in any active sense, they are also only up-to-date briefly, once a year.
The thing is, by definition assets are a resource with economic value that a business or organisation owns, with the expectation that it will provide a future benefit. An asset can be thought of as something that, in the future, can generate cash flow, reduce expenses or improve sales, regardless of whether it's manufacturing equipment, a building, a truck or a patent. Assets are reported on a company's balance sheet and are bought or created to increase a firm's value or benefit the firm's operations. When you look at it like this, it is amazing that businesses can have such valuable resources on hand and be so blasé about managing them.
So, the first step is to identify your assets. Create an “inventory of assets”, or in other words, an Asset Register. This is very simple to do in Mango and once clients see an Asset register in all its glory, they quickly begin to understand how they can use the register for multiple management system purposes. Tasks such as
- locating missing equipment,
- prioritising risks,
- classifying the assets for risk purposes
- and even for determining objectives
For Mango we created a list of all the information assets we have, including all software, computers, laptops, monitors, whiteboards, hard drives and as well as many more. We captured hundreds of items. It was a satisfying exercise and we found stuff we didn’t know we had. We put that into Mango and set a date to review and update the list on a regular basis.
Once you have created your list you must define who owns it. Then you must document how the information on those assets is to be used. We created an Acceptable Use policy to help define this.
Then finally for this section we updated the individual employment agreement and contractor agreements to include a requirement that users “shall return all of the assets in their possession upon termination of their employment, contract or agreement”.
A.8.2 Information classification
The objective here is to ensure that your information assets are protected according to their importance to your business.
Here at Mango we defined a four-level classification system:
The higher the rank, the more protection it receives. So “Secret” has the most protection and security, through to “Public” that has the least protection.
Once classified, we then labelled the assets. For Mango this meant we uniquely numbered the assets with an “asset number”. Those that were physical assets, like computers, monitors and whiteboards, we attached a physical label with the asset number attached. We recorded serial numbers (and product/version numbers) on the asset register so that each piece of asset was uniquely identified. Obviously this is more difficult to do with electronic items such as software and websites, but these are important assets that need to be captured, so I suggest you think carefully about how you will uniquely identify them.
A.8.3 Media handling
This sub-clause has the objective to prevent any unauthorised disclosure, modification, removal or destruction of information stored on media.
With the portability of information becoming easier and easier, the risk of losing data becomes higher and higher. You need to have procedures in place for a whole range of devices:
- Hard drives
- USB drives
- Mobile phones
- SaaS products
If you haven’t considered each type of media, it can soon become a nightmare for you. This is why it is vitally important in the discovery stage to identify all of your assets (as per A.8.1 above). The list you create needs to an exhaustive one. You need to search high and low for all media in your business. This is not a small task. Don’t underestimate the time it will take you to do this. But being thorough will ensure that you reduce your future risk.
Here at Mango (and we are only small - fewer than 20 employees) it took us a couple of weeks to get our media list together. We found software we didn’t know we had.
Now that you know what media you have, this requires you to develop and implement procedures for how to manage them. For instance here at Mango we have banned portable hard drives from being used.
Don’t forget to create procedures for the secure disposal of media that is no longer required, plus you’ll need procedures for transporting media too.
Assets are important to the growth of your business, and their mismanagement can pose a sizable risk to your businesses well-being. Use Asset Registers to maximise your growth and minimise your risk.
- Create a list of information assets - in other words, create an asset register. This takes time and requires the discovery of all information assets.
- Classify the assets on the list so that the level of protection and control is proportional to the importance of that asset to your business.
- Ensure that you have procedures in place for all of your media devices.
View previous blogs in this series "ISO 27001 Information Security Management Standard":