Security – ISMS – Asset Management

Asset Management

Requirements

Technology assets are typically identified and recorded in dedicated inventories as part of the overall ICT documentation set. To be effective, the register(s) should include all aspects of information technology. For example: applications and software systems, end-user equipment, network devices and services, infrastructure systems, back-end technology, servers and related systems, cloud based systems and services. In other words, the entire set of technology that is known to exist within the organisation. 

Most asset registers focus on the operational and financial management processes involved in the handling of hardware and software usage. Hardware registers capture details of the physical properties of equipment to assist with the operational management. This involves routine maintenance, replacement cycles, capacity planning etc. Software applications registers help manage the pool of user licences that are in place. This involves the elements that provide access to the various systems used by the organisation.

Additional details are required for technology systems to facilitate the Information Security Management System. This means comprehensive knowledge of the technology environment is vital in the construction of the security framework.

Knowledge of the company’s technology asset base will provide certainty over the status of the assets. It will also provide knowledge of who has access to those assets and how this access is managed. These details are important when planning how to maintain security of critical company assets. As well as the necessary technical details, the information recorded for each asset will include many other attributes. For example: where the assets are located, what configuration they have, what version they are, and many other security specific details.

With an appropriate asset register, the information can be used to help identify unauthorised modification to assets. This event is often the first indication that an asset has been compromised.

Related Policies

The management of assets within the scope of the company’s ISMS is dependent on policies governing the following:

• Asset Inventory – what is included in the register
• Ownership of Assets – who is responsible for the management of different assets
• Acceptable Use of Assets – how the assets should be used

An organisation must identify all assets in the information technology environment and document their significance. Documentation of specific or current inventories should be maintained by authorised individuals as required.

The register(s) of assets must be accurate, up to date, compatible, and matched with other technology service inventories. Ownership should be allocated to each of the assets and grouping or classification of assets should be used to highlight relevant types, functions or uses for the assets.

The recording of lifecycle events of assets should include activities involved in their useful lifetime. This includes the acquisition, creation, processing, storage, transmission, deletion and destruction of assets.

­Guidelines should be identified, documented, and implemented for the acceptable use of technology assets linked to information and processing facilities. This will serve to increase awareness of responsibilities in relation to the security of the assets.

Employees and external parties who use or have access to the company‘s assets must be made aware of all Information Security requirements. This is especially important when information is shared with other users. The owners or regular users of company assets will be responsible for the management of any related information processing services.