How to Develop an Asset Inventory for ISO 27001

Melisa Wrobel April 27, 2023
- 5 min read

ISO 27001 states the necessary conditions that must be followed in order to ensure effective Security Management in your organization. Because the framework includes specific requirements regarding IT assets, knowing how to develop an asset inventory for ISO 27001 will help ensure that your information assets – both physical and non-physical –  are adequately protected. As a result, your organization will be safer as well.

In the Annex A.8.1 of this regulation, you can find the rules listed for Asset Management, where building an asset inventory is the first step to kick off the process. Having a complete and detailed inventory will allow you to correctly filter, prioritize, and categorize your assets according to their status or risk. 

Although most people tend to think of assets in terms of hardware (such as computers and servers), there are many other elements that should be considered. According to the security standard, it should also include people, intellectual property, or even intangible assets (i.e., the organization's brand).

In this article, we'll cover the importance of developing an asset inventory for ISO 20001 and offer you a few tips to do it.

Let’s dive in!

ISO 27001 Asset Management policy, in a nutshell

ISO 27001 is a globally recognized standard for Information Security Management that establishes the necessary requirements to build an Information Security Management System (ISMS). Organizations use the standard to manage and protect all their sensitive information, as well as to prove this knowledge and compliance

As we mentioned, IT Asset Management (ITAM) is critical for ISO 27001 compliance. This operation will involve identifying, classifying, and protecting the organization's assets, specially those that are relevant for information security.

By building and maintaining an accurate inventory of their IT assets, organizations can assess their associated risks, and implement appropriate security measures. It's essential to build an exhaustive and precise inventory from the start to correctly protect all of these assets, and therefore get ISO 27001 certified.


Get your ISO 27001 checklist
for free

Download now

What should be included in an ISO 27001 asset inventory?

In ISO 27001, an asset is defined as anything of value to the organization where information is stored and processed. 

The 2013 version of the standard introduced a significant change to the requirements, which now considers all information assets, and not just physical ones. So, this definition contemplates all the tangible and intangible resources that an organization relies on to conduct its business: 

  • Hardware.
  • Software and data.
  • Employees.
  • Temporary staff, contractors, and volunteers.
  • Brand and reputation.
  • Intellectual property. 

The whole Asset Management process will involve identifying and classifying all assets, assessing their importance, and implementing security controls to protect them. Each type of asset can be grouped according to its classification, type of information, and financial or non-financial value. 

In addition, every specific asset should have an assigned owner and classification. An auditor will expect to see an inventory or several inventories covering all relevant assets, within the scope of the Information Security Management System.

Who should be the asset owner and what are their responsibilities according to the ISO 27001 standard?

The asset owner is responsible for the proper management of assets. This task includes both inventorying them, and ensuring that they are properly classified and protected. 

The owner does not necessarily have to be the legal or physical owner of the asset, but it is their responsibility to ensure the protection requirements, such as access restrictions, are being met and are aligned with the organization's policies and standards.

The owner should periodically review the state of their assets, and also ensure that they are being handled properly, for example, when disposing of or destroying them. Although the day-to-day Asset Management responsibilities (such as updating inventories and conducting audits) can be delegated, the ultimate responsibility for the whole process remains with the asset owner.

How to develop an asset inventory for ISO 27001

When creating an asset inventory for ISO 27001, you might be tempted to consider an Excel spreadsheet. But since it is a static document, sooner or later it will become very difficult to accurately keep it updated, and it could jeopardize your efforts to increase security in the organization.

ITAM software helps you avoid all that by providing you with a centralized, up-to-date, and automated view of your inventory, which will be the backbone of your Asset Management and IT security process.

The first step to kick off the process is to create a detailed and unified inventory.

Next, you need to build relationships between those assets. Who is the user owner of that laptop? Which software corresponds to that contract? Keep in mind that if you're working with more complex environments, a CMDB can be extremely helpful.

After establishing the foundations, it's time to make sure that everything is safe and in compliance with ISO 27001. Of course, it is impossible – or at the least time consuming and highly prone to error – to check asset by asset; so automation becomes really handy. 

You could use Health Rules or monitoring alerts to assign status parameters to each asset type and customize them to your needs. This way, you can receive notifications if something goes wrong.

Another option is asset tagging.  You can set certain rules and colors to different tags, and automatically assign them to the assets that fit with them. This is especially useful when it comes to ITAM reporting.

Final thoughts

Implementing ISO 27001 guarantees strong information security management for your organization. On top of this, being certified will allow you to showcase this knowledge.

However, it's important to note that this process has certain key components to consider. Amongst other elements, it asks for effective Asset Management practices to be put in place, following the specific requirements stated by the framework. 

Start building your IT inventory today and stay in compliance with ISO 27001!

Read other articles like this : Cybersecurity