The asset inventory is a list consisting of the following fields: id, asset, asset class, information criticality level, etc. The Asset Manager and those authorized to use the asset are indicated in the list of the Excel table
What exactly are the security assets that ISO 27001 talks about? How detailed does the inventory need to be and what information should it report? The Standard does not give a precise answer to these questions and the company is free to create an inventory of the resources at its disposal to process and protect information, in the most functional way for the system’s objectives.
If we think of assets as the \ “assets \” or \ “resources \” with which we process and protect information then we can include in the asset inventory the network, servers, network devices, computers, paper archives, antivirus software, etc. Sometimes, the information to be protected is also included in the asset inventory.
The inventory of assets required by control 8 of Annex A of ISO 27001 can be carried out in a simple way keeping in mind the following three needs:
In the example below, the asset is easily identified by assigning an identification number.
- The asset must be identified
- The asset must be placed in the functional context of the company
- The asset must be managed and that is protected from risks relating to the confidentiality, integrity and availability of information
In the inventory, all security assets were grouped by classes so that security policies could be aimed at protecting assets with specific characteristics in common.
The asset classes we suggest to adopt are the following:
- Information
- Network and communications
- Software
- Processing devices
- Locations and archives
- Safety systems and devices
From a functional point of view, the inventory allows you to frame the asset within the organization by establishing:
- The criticality level of the information inherent to it
- The information security label
- Whether or not it is a removable asset (rem)
- Who has been entrusted with responsibility for the asset
- Who are those who are authorized to use it (personnel engaged in primary, support, security processes or external persons)
- If the asset belongs to the company or is provided from outside (outsourcing)
- If the asset is also used in a teleworking regime
A good inventory of assets, in which each asset is well defined in its functional location in the company, allows for a more prudent organization of information protection.
In the example above, the security controls applied to control the risks for confidentiality, logical integrity, physical integrity and availability are also indicated in correspondence with each asset.
