ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001

[Richard Regalado]

Clause 4.2.1.d.1 of ISO/IEC 27001 requires the implementing organization to identify the assets within the defined scope of the ISMS...

As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:

1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image

In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.

1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,

2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices

3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,

4. software - in-house developed, COTS, operating system, development tools, utilities

5. people - management, employees, contractors, cleaners, clients

6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)

Would appreciate reading how did you manage your asset identification process! Cheers!




Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?

 

[Stijloor]

Clause 4.2.1.d.1 of ISO/IEC 27001 requires the implementing organization to identify the assets within the defined scope of the ISMS...

As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:

1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image

In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.

1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,

2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices

3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,

4. software - in-house developed, COTS, operating system, development tools, utilities

5. people - management, employees, contractors, cleaners, clients

6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)

Would appreciate reading how did you manage your asset identification process! Cheers!




Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?

Comments anyone?

Thank you!!

Stijloor.

 

[dsheaffe]

While I am very much a ISO27001 newbie, in our organisation we followed a similar approach. We still retained the asset types noted in the standard - but we then provided the detail on what sorts of assets fell into each group (much the same as yours). We too found it much easier for the staff when identifying assets when the had some direction on "what" an asset was.

Looking forward to your next topic.
Dave

 

[Richard Regalado]

While I am very much a ISO27001 newbie, in our organisation we followed a similar approach. We still retained the asset types noted in the standard - but we then provided the detail on what sorts of assets fell into each group (much the same as yours). We too found it much easier for the staff when identifying assets when the had some direction on "what" an asset was.

Looking forward to your next topic.
Dave

Thanks Mate! Nice to read that ISO/IEC 27001 is alive and kicking in Wollongong.

The advantage of grouping assets in categories is that it provides the user a framework which is more easier to manage that identifying it all in one go in a single bin - "assets".

Categorizing assets also allows for much easier identification (see control A.7.1.1 Inventory of assets) and allows for much more simpler verification for duplicate and missing entries.

How far have you gone with your ISMS development Dave?

 

[dsheaffe]

How far have you gone with your ISMS development?

We are about 6 months into what we plan to be a 12 month implemetation. Initial training for key staff is done, Asset Register is complete and we are about to start our Risk assessment. We already had plenty of info sec related policies and procedures - but no structure to support them, so we already have a fair proportion of the controls that we need already in place, so ISO27001 is really about having a framework to suport the whole thing - and to fill in the gaps of what is missing.