Inverifi logo

ISO 27001

Annex A.8 Asset management

Get compliant with ISO 27001 – Annex A.8 and simplify compliance for your organisation.

Annex A.8 has three sections divided into a total ten controls. The aim is to ensure a proper maintenance of an asset inventory. To support the normal secure operations for the organisation.

A.8.1 – Responsibility for assets

With A.8.1, the responsibility for assets with four controls. The controls outline how to identify organisational assets and define appropriate protection responsibilities.

A.8.1.1 Inventory of assets

The purpose of this control is to ensure a proper maintenance of an asset inventory to support the normal secure operations of the business in an organisation.

Assets associated with information and information processing facilities shall be identified.  An inventory of these assets shall be drawn up and maintained. Every single asset in the organisation should  be accounted for and listed to show how they are managed and controlled. Some example for categories of information assets include:

  • Databases
  • Data files
  • Hard-copy  documents
  • User guides
  • Notebooks
  • Training material
  • Policies, Procedures
  • Financial Data

A.8.1.2 Ownership of assets

Assets maintained in the inventory shall be owned. Meaning all assets need to have ownership within an organisation. 


Any asset that is in use should be assigned (or checked out) to an owner and/or location for an organisational information secure purpose. The ownership and location of assets should be recorded. 


Each asset has a life cycle that can be digested into four key stages:

  • Planning
  • Procurement/acquisition
  • Operation and maintenance
  • Disposal


Changes of ownership of assets can be made as long as it is recorded.

A.8.1.3 Acceptable use of assets

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. These rules are normally referred as “acceptable use of assets policy”


The Information Assets are provided for use in delivery of services to clients, suppliers, partners and internally within the organisation.


Information Systems  includes all servers and clients, portable computers, mobile phones, removable storage media, network infrastructure, system and application software, and other computer subsystems and components which are owned or used by the organisation or which are under the organisation’s responsibility. The use of an Information System also includes the use of all internal or external services, such as Internet access, e-mail, etc.

A.8.1.4 Return of assets

All employees and external party users shall return all of the organisational assets in their possession upon termination of their employment, contract or agreement. There should be clear documentation in the organisation about the process of how this asset will be fulfilled. This control will be come across with Annex 7, Annex 13 and Annex 15

A.8.2 – Information classification

Annex A.8.2 has three controls for information classification. This annex is about how to ensure information receives an appropriate level of protection. Accordance with its importance to the organisation.

A.8.2.1 Classification of information

Organisation could class their information to several different classifications depending on  legal requirements , value to the organisation,criticality to the organisation, sensitivity to unauthorised disclosure or modification. The least need to keep in security could be classified as ‘public’. Those information are available e.g on commercial websites so the public could easily reach out for.

A.8.2.2 Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation. After deciding the classification of information, to apply them on the label is important. Information needs to be identified to the correct classification while created.

A.8.2.3 Handling of assets

Procedures for handling assets shall be developed and implemented under the information classification scheme adopted by the organisation. For each security classification level a set of controls must be in place to ensure that the information asset involved is appropriately protected at all times. 

A.8.3 – Media handling

Annex A.8.3 also has three controls to outline media handling. Which prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

A.8.3.1 Management of removable media

Management of removable media should be implemented with procedures considering the classification scheme. The use of removable media such as memory sticks, CDs, DVDs, PDAs, mobiles and cameras to store data represents a significant risk to the organisation should be strictly controlled.  


Where removable media is currently being used in a business process, consideration must be given to the best method of achieving that business process by another means. This document provides guidelines concerning how requests for the use of removable media should be assessed and the appropriate recommendations that should be made depending upon the circumstances and requirements.

A.8.3.2 Disposal of media

Most of the time, simply deleting the data from a device or hard disk does not completely remove the data.  Therefore special procedure needs to be designed in an organisation to dispose of the media.


Media shall be disposed of securely when no longer required, using formal procedures. In order to protect sensitive data in an organisation, it is essential that the disposal of media which does, or may contain such data, is carried out in a controlled fashion. 

A.8.3.3 Physical media transfer

Occasionally, the organisation will need to share sensitive information with other parties. Under such circumstances it is important that the method by which information is transferred is understood and documented and that all parties involved are fully aware of the precautions that must be taken to ensure the confidentiality, integrity and availability of the information. 

Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. At times there may be a requirement to transfer client/non-client data into a live environment, when this occurs and the data is marked as sensitive the data should be encrypted and placed onto the physical media so that it can be delivered.