SBS - The best value in QMS software

ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001

Richard Regalado

Trusted Information Resource
#1
Clause 4.2.1.d.1 of ISO/IEC 27001 requires the implementing organization to identify the assets within the defined scope of the ISMS...

As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:

1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image

In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.

1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,

2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices

3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,

4. software - in-house developed, COTS, operating system, development tools, utilities

5. people - management, employees, contractors, cleaners, clients

6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)

Would appreciate reading how did you manage your asset identification process! Cheers! :)




Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?
 
Elsmar Forum Sponsor

Stijloor

Staff member
Super Moderator
#2
Clause 4.2.1.d.1 of ISO/IEC 27001 requires the implementing organization to identify the assets within the defined scope of the ISMS...

As per ISO 27000:2009 an asset is defined as - anything that has value to the organization. A note is provided after the definition which categorizes different asset types into:

1. information
2. software
3. physical
4. services
5. people
6. intangibles such as reputation and image

In my consulting jaunts, I use a different classification system for asset identification. My clients found my approach easy to follows and very straight forward.

1. information - databases, data files, electronic mails, SMS messages, information transmitted and received electronically,

2. physical - computer and communication equipment, offices, locations, magnetic and optical media, generator set, UPS, ACU, facilities, offices

3. paper - information written down or printed on paper; contracts, guidelines, memoranda, SLAs, OLAs,

4. software - in-house developed, COTS, operating system, development tools, utilities

5. people - management, employees, contractors, cleaners, clients

6. services - computing and communication service, lighting, heating, cooling, courier, outsourced software development, outsourced processes, shuttle service (note: service assets are services being received by the implementing organization and not the services being provided. Disruption to the services being received will impact the availability aspect of the service asset)

Would appreciate reading how did you manage your asset identification process! Cheers! :)




Next topic - how to go about grouping similar assets. Geez! I have 150 servers do I need to list them one-by-one?
Comments anyone?

Thank you!!

Stijloor.
 

dsheaffe

Involved In Discussions
#3
While I am very much a ISO27001 newbie, in our organisation we followed a similar approach. We still retained the asset types noted in the standard - but we then provided the detail on what sorts of assets fell into each group (much the same as yours). We too found it much easier for the staff when identifying assets when the had some direction on "what" an asset was.

Looking forward to your next topic.
Dave
 

Richard Regalado

Trusted Information Resource
#4
While I am very much a ISO27001 newbie, in our organisation we followed a similar approach. We still retained the asset types noted in the standard - but we then provided the detail on what sorts of assets fell into each group (much the same as yours). We too found it much easier for the staff when identifying assets when the had some direction on "what" an asset was.

Looking forward to your next topic.
Dave
Thanks Mate! Nice to read that ISO/IEC 27001 is alive and kicking in Wollongong.

The advantage of grouping assets in categories is that it provides the user a framework which is more easier to manage that identifying it all in one go in a single bin - "assets".

Categorizing assets also allows for much easier identification (see control A.7.1.1 Inventory of assets) and allows for much more simpler verification for duplicate and missing entries.

How far have you gone with your ISMS development Dave?
 

dsheaffe

Involved In Discussions
#5
How far have you gone with your ISMS development?
We are about 6 months into what we plan to be a 12 month implemetation. Initial training for key staff is done, Asset Register is complete and we are about to start our Risk assessment. We already had plenty of info sec related policies and procedures - but no structure to support them, so we already have a fair proportion of the controls that we need already in place, so ISO27001 is really about having a framework to suport the whole thing - and to fill in the gaps of what is missing.
 
#6
Morning All,

I am looking for an information security policy sample document that define the following clauses in their policy:

1. Context of the organization- Clause 4
2. Information security policy- Clause 5
3.Management Review-Clause 9.3
4. Compliance & Legislation- Clause 18.1.1
 
Thread starter Similar threads Forum Replies Date
D ISMS Asset Register - How to rate whether the asset is critical? IEC 27001 - Information Security Management Systems (ISMS) 3
J ISMS - Internal Audits Internal Auditing 3
A ISMS - Seeking VAPT Consultant Food Safety - ISO 22000, HACCP (21 CFR 120) 1
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
M How To Define ISMS (information Security Management System) Scope IEC 27001 - Information Security Management Systems (ISMS) 18
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
H ISMS (information security management system) Manual ISO27001:2013 Example wanted IEC 27001 - Information Security Management Systems (ISMS) 6
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 24
D Need to include Premise of Outsourced Call Center in ISMS Surveillance Audit? IEC 27001 - Information Security Management Systems (ISMS) 4
T A survey on problems during ISMS implementation - need help IEC 27001 - Information Security Management Systems (ISMS) 2
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
M Business Case for ISMS (Information Security Management System) IEC 27001 - Information Security Management Systems (ISMS) 1
M The steps that my ISMS Internal Audit Report has to Contain IEC 27001 - Information Security Management Systems (ISMS) 3
R What Monitoring Software are you using for ISMS? IEC 27001 - Information Security Management Systems (ISMS) 2
M How is the Scope Determined in ISMS? IEC 27001 - Information Security Management Systems (ISMS) 3
B ISMS Certified - Any requirement for Insurance Coverage for Infrastructure Assets? IEC 27001 - Information Security Management Systems (ISMS) 4
B Is policy required for each procedure in ISMS ? IEC 27001 - Information Security Management Systems (ISMS) 3
S MBA ISMS Project help wanted IEC 27001 - Information Security Management Systems (ISMS) 3
K Effectiveness of ISMS (Information Security Management System) Controls Measurement IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS (Information Security Management System) Policy vs. Information Security Policy IEC 27001 - Information Security Management Systems (ISMS) 1
T ISMS (Information Security Management System) Task Flow Chart in 'Detail' IEC 27001 - Information Security Management Systems (ISMS) 7
T A little survey on ISMS Implementation - Need help IEC 27001 - Information Security Management Systems (ISMS) 12
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
Richard Regalado ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing IEC 27001 - Information Security Management Systems (ISMS) 6
N Defining Security Interfaces for Scope for ISMS - Need help IEC 27001 - Information Security Management Systems (ISMS) 10
A Examples of Special Contact Group for implementation of ISMS IEC 27001 - Information Security Management Systems (ISMS) 2
A ISO 27000 (Information Security Management Systems {ISMS}) Basic Questions IEC 27001 - Information Security Management Systems (ISMS) 8
P List of Risks related to Purchase as per ISMS IEC 27001 - Information Security Management Systems (ISMS) 3
K ISMS (Information Security Management System) Implementation Guide IEC 27001 - Information Security Management Systems (ISMS) 12
P Does anyone know any organization with IMS (QMS+EMS+ISMS)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
S Concept Paper Requirements from ISMS and Quality Perspective Misc. Quality Assurance and Business Systems Related Topics 3
G Appropriate Processes for Information Security Management System (ISMS) IEC 27001 - Information Security Management Systems (ISMS) 7
S ISMS Planning before Organization Establishment IEC 27001 - Information Security Management Systems (ISMS) 4
A ISMS Firewall security policy sample template needed. IEC 27001 - Information Security Management Systems (ISMS) 2
A ISMS (Information Security Management System) 27K Legal Acts Check List IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO 27001:2005 ISMS implementation process & Procedure IEC 27001 - Information Security Management Systems (ISMS) 3
A ISO 27001:2005 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 14
M Inputs & Guidance on Information Security Management Systems (ISMS-ISO27000) Quality Manager and Management Related Issues 2
A Process documentation in a ISO 27001:2005 ISMS implementation Document Control Systems, Procedures, Forms and Templates 10
V ISMS, ITIL, ISO and others - BS7799 is interpreted as a quality standard Various Other Specifications, Standards, and related Requirements 4
V BS7799-2:2002 - ISMS - Information Security Management Systems Other ISO and International Standards and European Regulations 5
V ISO 17799 and BS 7799 - Security Standards - ISMS is not a quality standard Other ISO and International Standards and European Regulations 19
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
Q Asset / Tooling Management - Two Questions Manufacturing and Related Processes 3
P Looking for Risk Assessment Template - Not necessarily Asset based IEC 27001 - Information Security Management Systems (ISMS) 1
C Information Asset Labeling A.8.2.2 27001 IEC 27001 - Information Security Management Systems (ISMS) 1

Similar threads

Top Bottom