If you work for a security-conscious organisation, you may have noticed that it takes asset management very seriously.
You may understand the reasons for certain asset management processes, but perhaps others seem somewhat arbitrary to you.
This blog entry will explain all parts of asset management, as defined in ISO 27001:2013 annex A.8.1, and why each part is important.
A key part of asset management is for an organisation to know what assets it owns. Needless to say, an organisation can’t manage its assets securely and effectively if it isn’t keeping track of them in the first place.
An effective inventory of assets is required by ISO 27001 annex control A.8.1.1.
Generally, an organisation will document what assets it owns in a central, authoritative database or spreadsheet. Here at Inverifi, we use AssetTiger.
Where an organisation owns multiple assets of the same type, such as laptops, it needs a means of identifying each one.
The organisation may do this by printing labels with serial numbers, or, in the case of certain electronics, it may note a unique serial number embedded in each device’s firmware.
Another necessary part of asset management is a clear, unambiguous agreement of who is responsible for each asset.
After all, one person can’t be expected to keep track of every asset – especially if multiple offices, in different geographic locations, are involved.
ISO 27001:2013 annex control A.8.1.2 requires organisations to utilise the concept of asset ownership, in the context of managing its assets.
Legally speaking, the organisation owns all its assets. However, the employee who “owns” a particular asset, is responsible for it. They are responsible for taking reasonable measures to keep it safe, and reporting when it is lost.
At most organisations, each asset is owned by the employee it is issued to. This means, if you have a work laptop or an office keycard, you’re responsible for it; you’re its owner.
An organisation also needs to regulate how its assets are used by its employees. Although, this is applicable to all assets, it is particularly meant for information and computing assets.
This is a requirement of ISO 27001:2013 annex control A.8.1.3.
This usually starts with an acceptable use policy. Often, for computing assets, this policy will often be enforced, partially, using software-based restrictions on what regular users can do with computers supplied to them by the organisation.
It is important for an organisation to make it clear to its employees, what is and isn’t acceptable use of its equipment.
When it comes to computing assets, regulating their use will protect information security, by preventing computers from getting infected by malware, and by enforcing secure software management practices.
An acceptable use policy isn’t necessarily just there to protect information security, though. It can be used to prevent any unfavorable use of an organisation’s assets.
Some employees may want to use company assets for illegal activities, such as illegally downloading pirated digital media. They may not even know that what they’re doing is illegal.
An acceptable use policy probably wouldn’t prevent deliberate law-breaking, but it would be likely to prevent accidental law-breaking. It might even educate employees on how they might be breaking the law outside of work, so they can correct this.
Once an asset is no longer used by a particular employee – whether it’s because the asset is considered obsolete, or because the employee has left – it must be returned to the organisation.
This is a requirement of ISO 27001:2013 annex control A.8.1.4.
An organisation will require assets to be returned for two reasons.
Firstly, an asset may be of high value. A single computer can be worth thousands of pounds. If an organisation allows an employee to keep a reusable asset for themselves, it is losing money.
Secondly, you guessed it: security. As expensive as a MacBook might seem to you and I, to some companies, its value is nothing, compared to the potential costs that will arise from a data breach. This is also the main concern of A.8.1.4.
I’ve explained why each part of asset management, as standardised in ISO 27001:2013 annex A.8.1, is important.
Each part of asset management has importance in protecting the security of the organisation’s data. However, some parts are important for other reasons, which don’t necessarily have anything to do with security.
Any organisation that wants to be seen as secure, must take measures to ensure effective asset management. Each employee working for such an organisation must follow any asset management policies applicable to them.