An inventory of assets in ISO 27001 can be interpreted in several different ways. Is a physical asset register detailing all devices in the organisation enough? Or would a static register be sufficient?
What level of detail do we need to go into for the asset register, and what should be included? These are all questions that may come up when considering the inventory of assets in ISO 27001. But before we look into these, we must firstly understand what an asset is.
What are assets in ISO 27001?
Assets can be defined as anything of value to the organisation in ISO 27001.
ISO 27001:2013 does not specifically define what an asset means, but if we look at the 2005 revision of the standard we can see that this means “anything of value to the organisation”. Strictly speaking, this can literally mean anything – from critical business data through to physical assets and people. But where do we draw the line? Obviously we don’t want to start listing stationary and other minor assets, but what is important? The answer to this is the discretion of the organisation. Let’s look at a few examples.
Fundamentally, the asset register will be used to inform risk assessments and therefore risk treatment. With this in mind, we should only be listing assets that are of importance to us and, most importantly, that we want to treat. Ultimately, the asset register will be used to inform the risk assessment (if using an asset-based methodology) so we want to list things here that we genuinely want to protect.
If we take the example above of stationary as an asset, as an organisation compromise of these assets would have little to no impact on the organisation so it is not worthwhile listing these in our ISO 27001 asset register.
Inventory of Assets ISO 27001 Asset Categories
Assets typically consist of the following categories, but will differ dependant on the organisation:
- Data: In its raw form, the information we want to protect. This includes both paper-based and digital information, and is the core of our whole information security management system. When developing the inventory of assets, you would not want to go down to database, file or field level as this would result in a huge inventory. Instead, try to keep the right level of abstraction – for example, you may wish to specify “customer data” or “application x data”. As long as you are clear on what this encompasses, then it is sufficient.
- Hardware/Software: End user devices, firewalls, switches, routers, servers are all hardware items that our system would want to protect. Although some of these network devices do not store data directly, compromise or loss of them would have an impact on the confidentiality, integrity and availability of our data. Software should include commercial software products as well as bespoke applications, and any internally developed applications or source code. It is likely that the focus will be on the backend database supporting the application, but as above loss or compromise of the application server may indirectly affect the CIA of the asset.
- People: As always, the weakest link in the security chain is people. These should be listed within the asset register as loss of staff would result in an impact to securing information in the organisation. People should include management, staff and any other personnel of importance to the organisation.
With the above list in mind, it is clear to see that an inventory of assets stretches beyond just hardware/software inventories. The inventory of assets should include anything of value to the organisation, and should be owned by an individual within the organisation and updated periodically.
Organisations often opt to link in their inventory of assets with their physical asset inventory which can be managed on a software application. The important point is to ensure that the inventory is kept at a reasonable level of abstraction rather than listing individual devices – for example, you may wish to list “end user devices” rather than “Dell Latitude E7440”.
How can I produce an asset register?
An inventory of assets in ISO 27001 may include owner, custodian, locations and other fields.
One way to produce a list of assets is to use a spreadsheet to specify the asset name, owner, location and value to the organisation. To quantify this, practitioners often use a business impact assessment, or BIA. A BIA allows the organisation to value the asset, and therefore understand its worth to the company.
This enables the organisation to identify the assets that require prioritisation in terms of protection, allowing a proportionate risk managed approach. The asset list therefore may include a BIA scoring for confidentiality, integrity and availability which can be used to inform the risk assessment (i.e. a high value asset with high threats = a high risk). We explore this in more detail under risk assessment and risk treatment.
So, in a nutshell that is how to develop an inventory of assets in ISO 27001. There are no stringent requirements for how the asset register should look, but it must be up to date, owned, reviewed periodically and understandable. An outdated asset inventory will produce inaccurate results in risk assessment processes, remember – garbage in, garbage out!
