ISO 27001 and Asset Management: What Does Annex A.8.1 Say?

Sophie Danby May 5, 2023
- 7 min read

ISO 27001 is the gold standard to follow for effective Information Security Management, and it is deeply related to IT Asset Management. In particular, the annex A.8.1 provides all the necessary information to manage your information assets properly. So, understanding the full scope of it is crucial to create an all-round ITAM strategy that will ensure all your assets are always fully protected.

In this article, we will give an overview of the ISO 27001 clause 8, and see how the standard is related to ITAM practices. Then, we will explore in more detail what the annex A.8.1 involves and how implementing it can make sure your organization is being kept secure.

Ready to learn about ISO 27001 and Asset Management? Let's get started! 



An overview of the ISO 27001 clause 8

First things first, let's take a look at the ISO 27001 clause 8. This clause specifies all the requirements that must be met when implementing information security. It also states how the security controls – which were defined in the previous clauses – must be implemented and maintained.

Put simply, clause 8 emphasizes the importance of implementing, monitoring, and reviewing an organization's Information Security Management System (ISMS) to ensure that it operates effectively and meets its objectives. 

But, why is this important for IT Asset Management? ITAM is in charge of managing and protecting your IT assets, and an imperative part of this process is to protect the stored data. Luckily, the ISO 27001 standard includes Asset Management-specific items which help you understand how to keep your information and its assets safe. In clause 8, you can find the requirements and responsibilities for security practices specific to Asset Management and the types of assets under its control.

What are "assets" according to the ISO 27001 standard?

In Information Security Management, assets refer to anything valuable to an organization that should be protected from unauthorized access, use, disclosure, modification, destruction, or compromise.

This definition includes not only tangible items, such as hardware, software, and network equipment, but also intangible assets, which incorporate other elements, such as information, knowledge, intellectual property, and reputation.

ISO 27001 recognizes four types of assets:

  • Human assets - Colleague knowledge, skill sets, level of training, and other personal and behavioral values.
  • Financial assets - Cash, stocks, deposits, and other liquid assets that may or may not have an inherent worth or physical form.
  • Information assets - Paper or digital documentation, passwords, encryption keys, and databases.
  • Intangible assets - License information or documentation pertaining to trademarks, patents, certifications, and other assets that may affect an organization's reputation. 

The standard states that organizations should identify and classify their assets based on their importance to the business, the sensitivity of the information they contain, and the potential impact of a security breach or loss.

This way, it helps companies handle their ITAM by encouraging them to recognize and focus on their most significant exposure areas. In doing so, organizations prioritize their security controls and allocate resources more effectively to protect their critical assets.

ISO 27001 and Asset Management: What does annex A.8.1 say?

Annex A.8.1 is a critical part of ISO 27001 when considering ITAM practices, as it provides the guidelines for organizations to identify their assets and it defines their responsibilities in order to protect them effectively. 

In other words, it will help you build an asset register, which will ensure your organization is correctly keeping track of everything. It also specifies the policies and processes you need to manage the ownership of these assets, their acceptable usage, and how to return them. 

Let's break down the different sections of the annex, to understand this process in more detail.

8.1.1 - Inventory of assets

This section deals with something crucial: keeping an inventory of your assets in compliance with ISO 27001. Here the annex states that information assets and facilities must be identified and placed under the control of a structured process. These assets should be organized in an inventory to be tracked and managed throughout their whole lifecycle, which includes creation, processing, storage, transmission, deletion, and destruction. 

The standard states that these activities must be documented in an asset register, regularly updated, and checked for accuracy to ensure that what is captured is aligned with what is installed in your IT environment. 

The best way to comply with the ISO 27001 is to have the support of the right ITAM tool to maintain your inventory, manage assets, and generate reports.

8.1.2 - Ownership of assets

This section deals with how ownership is assigned. In short, all assets must have a defined Asset Owner at the point of creation, who are responsible for managing them throughout their lifecycle. This can be individuals, teams, or named departments. 

Asset owners are responsible for keeping the asset information updated in the database or inventory – ensuring that everything is classified correctly and that the appropriate security controls are in place. They're also responsible for reviewing any related documentation, ensuring that it's subject to a regular review cycle, and that when an asset is retired, it is disposed of using the appropriate channels.

8.1.3 - Acceptable use of assets

This section deals with creating an acceptable usage policy for all colleagues with access to secure IT assets. Even if it can seem obvious for the IT team what is and isn't good behavior when using equipment, that isn't necessarily the case for business colleagues and end-users.

Create a policy that sets out the acceptable use of IT assets and the security requirements when using them. Then, ensure they're made known to all colleagues that can access them. These policies must always be regularly reviewed, updated, and enforced through training activities. 

8.1.4 - Return of assets

This section deals with ensuring that all assets are returned when an individual or third party leaves the business. Employees, external contractors, suppliers, and partners must return all IT assets to the organization when their employment or contract ends. 

Suppose a former employee or third party purchased the equipment. In that case, they must follow a pre-agreed process to transfer prosperity data to the company before leaving the business. This process must be documented, and any non-returns must be flagged as security incidents, unless signed for and agreed upon as part of the offboarding process

Why is ISO 27001 important for Asset Management – and who should use it?

The ISO 27001 standard is important for Asset Management because it provides a systematic and risk management-based approach to assessing and managing the security of an organization's assets. By implementing it, organizations can establish an ISMS that helps them protect their critical assets, and ensure their information and resources' confidentiality, integrity, and availability (CIA). 

CIA means that assets are protected so that any confidential information stored on the remains safe, that the integrity of the asset isn't compromised, and the asset is available when needed.

ISO 27001 can be used by anyone responsible for implementing, maintaining, or auditing an ISMS. Typical users include information security managers and specialists, risk managers, finance and procurement managers, governance, regulatory, and compliance (GRC) managers, and internal auditors. It is also relevant for third-party suppliers, partners, and service providers who may be responsible for handling an organization's assets or providing services related to Information Security Management or IT Asset Management.

Implementing the standard is particularly important for organizations with legal, regulatory, or compliance requirements around their assets and the data they support. This is an organization that typically handles sensitive information, such as hospitals and healthcare providers, pharmaceuticals, financial institutions, and government agencies. 

Get your ISO 27001 checklist
for free

Download now

In conclusion

There's a strong link between ISO 27001 and Asset Management. Specifically, the annex A.8.1 focuses on ITAM practices, and provides organizations specific requirements to identify their assets and define their responsibilities to protect them effectively.

The four main activities described by the annex are:

  • Asset inventory
  • Asset ownership
  • Acceptable usage of assets
  • Return of assets

Having an ITAM solution can become the best way to address these activities from one single spot. So, make sure to find the one that best suits your needs!

Read other articles like this : ITAM, InvGate Insight, Cybersecurity

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed