One of the most important standards that any company should be aware of in 2019 is ISO 27001 -Information Security Management. This particular standard comes with a variety of clauses which include the all-important Clause A.8. For those unfamiliar with this clause, it references asset management and more importantly how a company controls assets which handle information.
Asset management of information processors and controllers is extremely important, and it is something which should be considered carefully. Here, we are going to look at the factors affecting these assets in the workplace.
A.8.1 Responsibility
While asset management is a very important part of any business and in some cases forms a crucial part of your IT systems, however many organisations neglect the need for proper control of such assets related to information security management. Some may create a register and review once per year; others may have external support that looks after the assets to ensure that their Email and computing abilities remain in place. But true information security management goes much further than this and has become a fundamental for many organisations to be able to tender for work or deliver services to certain industries.
Luckily, organising your assets is relatively straightforward as long as you understand the various factors that go into creating an asset register and the controls to support that. Essentially, you need to locate any assets that you have that can include desktops, hard drives, laptops, tablets, smart phones, USB’s, software and anything else within your organisation that will either control or access information in your business. Now let’s document all this in one place, it makes sense to have everything centrally controlled.
The important part here is to define the owner of the assets. This is assigning responsibility and making sure that any assets have a definition of how they are to be used. It can be helpful to create an Acceptable Use policy to deal with this, letting your employees understand how what they can and cannot do with company assets and importantly the information they access with them.
A.8.2 Information Classification
When looking closely at your information handling assets within the organisation, you also need to consider classify the information. There are a few ways that you can do this but essentially, you should aim for a ranking system, which will help you identify in the future the risk associated to information from such assets. Some of the classifications that could be used include ‘confidential’, ‘public’, ‘secret’ and ‘internal’.
The importance of some of your assets over others is down to you. In the ISO 27001 standard, you must decide which assets need to have a higher level of protection than others and make it work for your business.
A.8.3 Media Handling
It is also important to consider the media within your organisation when looking at ISO 27001 Clause A.8. As time goes on and we start to make more of our information portable, we must ensure that anything that holds or has access to information in our organisation is kept secure. Not only are we protecting information we hold on our employees, but also that of suppliers, clients and possibly even end users of our products and services
This can depend on the kind of devices that you have within your organisation, but most will have laptops, smart phones, tablets and various forms of portable hard drives that need to be controlled. Each type of media needs to be considered carefully, how it is used, accessed and importantly how using it incorrectly could risk your business losing data, or being exposed to a security breach.
When compiling your media list, you must include everything within your organisation and do not stop until you have an exhaustive list. This is a very important part of information security asset management and missing anything out could be detrimental to your business.
It is also worth noting at this point that you should also have a system in place for disposing of the media within your organisation once it is no longer required. This could be when a member of staff leaves or when something is no longer functioning. All data must be kept secured or be destroyed, otherwise, the organisation is at risk.
Key Points
Information Security Asset Management is something which every business should be concerned with and now is the time to make the changes to your organisation if you haven’t already. When dealing with ISO 27001, you must consider Clause A.8 and evaluate all of the assets that you have.
Try to establish an exhaustive list and organise everything in a way that is easy to manage in one place. If you need any assistance on this or further information on the importance of ISO 27001 then make sure to get in touch with FQM Ltd. We are always happy to help with improving your standards.