ISO 27001 states the necessary conditions that must be followed in order to ensure effective Security Management in your organization. Because the framework includes specific requirements regarding IT assets, knowing how to develop an asset inventory for ISO 27001 will help ensure that your information assets – both physical and non-physical – are adequately protected. As a result, your organization will be safer as well.
In the Annex A.8.1 of this regulation, you can find the rules listed for Asset Management, where building an asset inventory is the first step to kick off the process. Having a complete and detailed inventory will allow you to correctly filter, prioritize, and categorize your assets according to their status or risk.
Although most people tend to think of assets in terms of hardware (such as computers and servers), there are many other elements that should be considered. According to the security standard, it should also include people, intellectual property, or even intangible assets (i.e., the organization's brand).
In this article, we'll cover the importance of developing an asset inventory for ISO 20001 and how you can do it with InvGate Insight.
Let’s dive in!
ISO 27001 Asset Management policy, in a nutshell
ISO 27001 is a globally recognized standard for Information Security Management that establishes the necessary requirements to build an Information Security Management System (ISMS). Organizations use the standard to manage and protect all their sensitive information, as well as to prove this knowledge and compliance.
As we mentioned, IT Asset Management (ITAM) is critical for ISO 27001 compliance. This operation will involve identifying, classifying, and protecting the organization's assets, specially those that are relevant for information security.
By building and maintaining an accurate inventory of their IT assets, organizations can assess their associated risks, and implement appropriate security measures. It's essential to build an exhaustive and precise inventory from the start to correctly protect all of these assets, and therefore get ISO 27001 certified.
What should be included in an ISO 27001 asset inventory?
In ISO 27001, an asset is defined as anything of value to the organization where information is stored and processed.
The 2013 version of the standard introduced a significant change to the requirements, which now considers all information assets, and not just physical ones. So, this definition contemplates all the tangible and intangible resources that an organization relies on to conduct its business:
- Software and data.
- Temporary staff, contractors, and volunteers.
- Brand and reputation.
- Intellectual property.
The whole Asset Management process will involve identifying and classifying all assets, assessing their importance, and implementing security controls to protect them. Each type of asset can be grouped according to its classification, type of information, and financial or non-financial value.
In addition, every specific asset should have an assigned owner and classification. An auditor will expect to see an inventory or several inventories covering all relevant assets, within the scope of the Information Security Management System.
Who should be the asset owner and what are their responsibilities according to the ISO 27001 standard?
The asset owner is responsible for the proper management of assets. This task includes both inventorying them, and ensuring that they are properly classified and protected.
The owner does not necessarily have to be the legal or physical owner of the asset, but it is their responsibility to ensure the protection requirements, such as access restrictions, are being met and are aligned with the organization's policies and standards.
The owner should periodically review the state of their assets, and also ensure that they are being handled properly, for example, when disposing of or destroying them. Although the day-to-day Asset Management responsibilities (such as updating inventories and conducting audits) can be delegated, the ultimate responsibility for the whole process remains with the asset owner.
How to develop an asset inventory for ISO 27001 with InvGate Insight
When creating an asset inventory for ISO 27001, you might be tempted to consider an Excel spreadsheet. But since it is a static document, sooner or later it will become very difficult to accurately keep it updated, and it could jeopardize your efforts to increase security in the organization.
InvGate Insight helps you avoid all that by providing you with a centralized, up-to-date, and automated view of your inventory, which will be the backbone of your Asset Management and IT security process.
The first step to kick off the process is to create a detailed and unified inventory. On InvGate Insight, you can classify all the assets that are considered in the ISO 27001, including physical and non-physical ones. You can choose from different options to do this:
- Install an Agent on your devices.
- Use the Discovery feature.
- Import assets from your clouds.
- Upload a .xls or .csv file.
- Create assets manually.
Once this has been done, there is a list of preset CIs that you can choose from to categorize them: trackable and non-trackable assets, software, business applications, users, location, and contracts. You can also add custom fields or build your own asset categories, if needed.
The next step is to build relationships between those assets. Who is the user owner of that laptop? Which software corresponds to that contract? Keep in mind that if you're working with more complex environments, CMDBs are the perfect feature to turn to.
After establishing the foundations, it's time to make sure that everything is safe and in compliance with ISO 27001. Of course, it is impossible – or at the least time consuming and highly prone to error – to check asset by asset; so automation becomes really handy. Lets see how you can do it on InvGate Insight.
Health Rules allow you to assign status parameters to each asset type and customize them to your needs. Every time something isn’t working as it should, you get a notification, or you can see it directly on the asset profile. There are three statutes that your devices can be in, and they will depend on how you configure them:
- Green means that your devices are safe.
- Yellow means there’s a warning.
- Red means that your devices are in critical status.
Another option is Smart Tags. You can set certain rules and colors to different tags, and automatically assign them to the assets that fit with them. This is especially useful when it comes to ITAM reporting.
Implementing ISO 27001 guarantees strong information security management for your organization. On top of this, being certified will allow you to showcase this knowledge.
However, it's important to note that this process has certain key components to consider. Amongst other elements, it asks for effective Asset Management practices to be put in place, following the specific requirements stated by the framework.
Managing your IT inventory with InvGate Insight will help your organization comply with the standard, by providing you with the resources to easily maintain an accurate inventory of your IT assets, and at the same time assess possible risks, and implement appropriate security measures to protect them.
To be one step closer to the standard, access InvGate Insight’s 30-day free trial!