Clause 4.2.1.d.1 of ISO/IEC 27001 requires the implementing organization to identify the assets within the defined scope of the ISMS...
As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:
1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image
In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.
1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,
2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices
3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,
4. software - in-house developed, COTS, operating system, development tools, utilities
5. people - management, employees, contractors, cleaners, clients
6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)
Would appreciate reading how did you manage your asset identification process! Cheers!
Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?
As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:
1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image
In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.
1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,
2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices
3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,
4. software - in-house developed, COTS, operating system, development tools, utilities
5. people - management, employees, contractors, cleaners, clients
6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)
Would appreciate reading how did you manage your asset identification process! Cheers!
Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?