In this post, we delve into the management of information and other assets which store and have access to the information within your business.

A.5.9 Inventory of information and other associated assets

The objective of the next three controls is to identify the assets and then define the responsibilities for protecting them.

In our experience, a lot of businesses don’t have any kind of asset register.  If they do, it’s likely that the assets are captured in a spreadsheet during a one-off exercise, usually around the end of the financial year.  Often the only people to see the list of assets is the Accountant or Finance Manager for accountancy purposes.  No one else gets to see it or use it.  So, not only are these registers not used in any active sense, they are also only up-to-date briefly, once a year.

By definition, assets are a resource with economic value that a business or organisation owns, with the expectation that it will provide a future benefit. An asset can be thought of as something that, in the future, can generate cash flow, reduce expenses or improve sales, regardless of whether it's manufacturing equipment, a building, a truck or a patent.  Assets are reported on a company's balance sheet and are bought or created to increase a firm's value or benefit the firm's operations.  When you look at it like this, it is amazing that businesses can have such valuable resources on hand and be so blasé about managing them.

To implement this control, the first step is to identify your assets.  Create an “inventory of assets”, or in other words, an Asset Register.  This can be used for multiple management system purposes such as:

  • maintenance,
  • locating missing equipment,
  • prioritising risks,
  • classifying the assets for risk purposes, and
  • determining objectives

and many others can all be made active and simple with an Asset Register.

Listing of all the information assets you have, including all software, licenses, computers, laptops, monitors, whiteboards, hard drives and as well as many more, across multiple lists grouped appropriately to give you an accurate picture of what you have.  You will likely capture many more items than you thought you had! Add that into a register and set a date to review and update the list on a regular basis. Once you have created your list you must also define who owns it. 

A.5.10 Acceptable use of information and other associated assets

Once you have developed your Asset Register as part of A.5.9, you must document how the information on those assets is to be used. Creating an Acceptable Use policy will help define this. This Acceptable Use policy can be incorporated into your Information Security policy document, or documented separately if that is more appropriate for your circumstances. All employees and contractors should be made aware of this policy, and agree to abide by it as part of the onboarding process. Non-adherence can be feed into a disciplinary process (control A.6.4) should the policy not be adhered to. 

 

A.5.11 Return of assets

Finally for the controls on asset management, you will need to determine a policy on the return of assets. A common way to do this is to update individual employment agreement and contractor agreements to include a requirement that users “shall return all of the assets in their possession upon termination of their employment, contract or agreement”.

Again, this should be supported and enforced by having employees and contractors agree to this as part of their induction process and having an enforceable disciplinary policy which includes escalations to legal action to re-acquire assets where applicable.

A.5.12 Classification of information

Now that the controls around the management of assets are done, we move to controls on information management. The objective here is to ensure that your information assets are protected according to their importance to your business.
A common classification system to use involves the following levels:

  1. Secret
  2. Confidential
  3. Internal
  4. Public

The higher the rank, the more protection it receives.  So “Secret” has the most protection and security, through to “Public” that has the least protection.

A.5.13 Labelling of information

Once information has been classified, then you should label the information and assets which store it.  This can mean uniquely numbering the assets with an “asset number”.  Physical assets, like computers, monitors and whiteboards, can be labelled by attaching a physical label with the asset number attached. One way to achieve this is by recording serial numbers (and product/version numbers) on the asset register so that each piece of asset can be uniquely identified. Obviously this is more difficult to do with electronic items such as software, licenses and websites, but these are important assets that need to be captured, so you should carefully consider how you will uniquely identify them and record it. 

A.5.14 Information transfer

The objective here is to maintain the security of information transferred within your organisation and with any external entity.

Once again you need to list all the communication and information transfer activities in your organisation.

The standard helps to ensure you have covered everything, including:

•    Information transfer policies and procedures
•    Agreements on information transfer
•    Electronic messaging
•    Confidentiality or nondisclosure agreements 

While determining the transfer activities, you should consider the main forms of transfer, including verbal transfer, physical information transfer, including the media used to transfer information like computers, hard drives etc and electronic communication transfer.

Then, once all activities have been identified, ensure there are rules to govern how the information is transferred and protected against being intercepted, accessed, copied, modified or destroyed by unauthorised users. Things like reliability and availability of the transfer mechanisms, traceability, chains of custody and ownership of the information and risks should also be considered.

Conclusion

In conclusion, determining and categorising the information in your business, and the assets which are used to store and transmit it. 

Ensuring that you have a register to keep track of the assets within your business. The final piece of the puzzle of these controls information and asset management is the policies and rules around their use will help you keep on top of assets. 

Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Loading...

Relevant articles and events

You may also be interested in this
Blog
compliance-management-middle-class-dqs-interlocking gear wheels compliance standard rules
Loading...

Practical Steps for Policy Compliance and ISMS Independent Review in Controls A.5.35 – A.5.37

Blog
ISO 27001 Quality standards assurance business technology concept.; Shutterstock ID 1348453067; purc
Loading...

A Strategic Approach to ISO 27001 Implementation

Blog
Monitor showing a hacked system
Loading...

When systems fail: what a global outage teaches us about cyber security and quality