Morland-Austin IT GRC Knowledge Base

Asset Management

IT GRC Knowledge Base » IT Governance Management » Information Security Management Systems and ISO 27002 Standards » Asset Management

This article provides an overview of Asset management and why it is important for information security as part of  ISO 27002 compliance.

The objective of responsibility for assets is to identify organisational assets and define appropriate protection responsibilities.

The objective of information classification is to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.

The objective of media handling is to prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
Responsibility of assets:

  1. Inventory of assets – assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.
  2. Ownership of assets – assets maintained in the inventory should be owned. Individuals with approved management responsibility for the asset lifecycle qualify to be assigned as asset owners.
  3. Acceptable use of assets – rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented.
  4. Return of assets – all employees and contractors should return all of the organisational assets in their possession upon termination of their employment, contract or agreement.

Information Classification:

  1. Classification guidelines – information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
  2. Labelling of information – an appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation.
  3. Handling of information – procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organisation.

Media Handling:

  1. Management of removal media – procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organisation
  2. Disposal of media – media should be disposed of securely when no longer required, using formal procedures.
  3. Physical media transfer – media containing information should be protected against unauthorized access, misuse or corruption during transportation.

For more information please contact Morland-Austin at info@morland-austin.com.