One of the first things organisations must do when implementing ISO 27001 is identify their information assets.
After all, it’s only once you know what needs to be protected that you can determine the threats associated with them and put in place appropriate defences.
An information asset is any piece of information that is of value to the organisation. It can be, for example, a physical or digital file, a disk, a storage device, a laptop or a hard drive.
This blog explains how you should identify your organisation’s assets, and how this process fits within your ISO 27001 compliance project.
Creating an asset register
An asset-based risk assessment begins with an asset register. This document specifies all the places where you keep sensitive information.
The best way to identify assets is to interview asset owners.
The ‘asset owner’ is the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset.
They will know how information flows through their department. As such, it will be quicker and less invasive to get each asset owner to provide the necessary information rather compared to getting your implementation or compliance to scour the entire organisation.
If asset owners are unsure what they are responsible for, you should recommend that they list the software that they use, the documents in their folders and filing cabinets, the employees in the department, the equipment in their office, and so on.
You might be able to make their job more manageable if you can access fixed asset registers – such as a list of employees or licensed software. In those cases, you can use those lists so that the asset owner doesn’t have to identify assets solely from memory.
What comes next?
Once you’ve completed the asset register, you can begin to identify and analyse the risks associated with them. This means identifying the threats and vulnerabilities related to your assets.
A threat is any incident that could negatively affect an asset. For example, if it’s lost, knocked offline or accessed by an unauthorised party.
Examples of threats include criminal hacking, a malicious insider stealing information, technical malfunctions, or events that cause physical damage, such as a fire or natural disaster.
Meanwhile, a vulnerability is a flaw that can be exploited by a threat to destroy, damage or compromise an asset.
Examples of vulnerabilities include bugs in your system; physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises; and poorly written (or non-existent) processes that could lead to employees exposing information.
You can find out more about the way assets, threats and vulnerabilities interact by reading our blog.
We also offer a free white paper that contains an in-depth explanation of the risk assessment process. 5 critical steps to successful ISO 27001 risk assessments advises you on:
- How to determine the optimum risk scale so you can assess the impact and likelihood of risks;
- How to systematically identify, evaluate and analyse risks without losing your mind; and
- The baseline security criteria you must establish for a successful ISO 27001 implementation.
A version of this blog was originally published on 16 June 2016