ISO 27001 Controls: Annex A.8 Asset Management

Jan 20, 2023by Maya G

A.8 controls can assist position your organisation for success if you're aiming to align your organization's information security management system (ISMS) with the ISO 27001 standard. Asset management is covered in Annex A.8 along with an explanation of its function in maintaining accountability for and delegating responsibility for information assets.

The key to complying with ISO 27001 and ensuring sound information security procedures is to identify and put into place the required Annex A controls through a risk assessment. The prerequisites for efficient asset management, the significance of managing your assets in an integrated manner, and how to create an asset inventory will all be covered in detail in this article's discussion of Annex A.8.

What is Annex A.8?

Annex A.8 of ISO/IEC 27001 provides a list of generic and specific controls with guidance on their implementation. This list is not prescriptive, meaning that organizations can choose which controls to implement based on their own risk assessment.

The goal of Annex A.8 is to provide a comprehensive list of possible controls that organizations can use to secure their information. The list is divided into two sections:

  • Section 1: General controls
  • Section 2: Specific controls

Organizations can use this list to develop their own information security management system (ISMS) and select the controls that are appropriate for their own needs.

What is Asset Management?

Asset management is the process of identifying, tracking, and maintaining information about an organization's assets. The goal of asset management is to minimize risk and maximize return on investment (ROI). In order to achieve these goals, organizations must have a clear understanding of their assets and how they are used.

Asset management is a critical component of any organizational risk management strategy. By identifying and quantify risk, asset managers can make informed decisions about where to allocate resources.

Asset management is also an important aspect of compliance with ISO 27001, the international standard for information security. This standard requires organizations to establish and maintain an asset management program in order to control and protect their information assets.

What are the levels/types of assets?

Assets can be broadly described as anything that an organisation considers valuable, which goes beyond tangible or physical assets. There are four different categories of assets, including hardware and software, outsourced services like chat and email systems, and infrastructure that may influence the accessibility of information.

  • Human Assets: Skills of the workforce, their level of training, and other attributes like loyalty.
  • Financial Assets: Cash, stocks, deposits, and other liquid assets with or without intrinsic value or physical existence.
  • Information assets: Databases, passwords, and encryption keys, whether they are written on paper or digitally.
  • Intangible Assets: Licensures, trademarks, certifications, and other assets that could impact a company's reputation are examples of intangible assets.

Annex A.8.1 - Responsibility of assets:

Organizations must identify and document who is responsible for the assets that support the organization’s information security. The management should review and approve these responsibilities. This is to ensure that there is an appropriate level of control over the assets and that the individuals responsible for them understand their roles and responsibilities.

When defining roles and responsibilities, the following factors should be taken into account:

  • The value of the asset to the organization
  • The sensitivity of the asset
  • The level of access required to the asset
  • The Availability, Integrity and Co,nfidentiality requirements for the asset
  • The impact of a loss of the asset

A.8.1.1 - Inventory of assets

The purpose of this asset inventory is to list and describe the organization's information assets, as well as to identify the location of these assets. This will help the organization to better understand its information assets and their value, so that they can be better protected.

  • An information asset is anything that has value to the organization, including:
  • Physical assets, such as computers, servers, and office equipment
  • Electronic assets, such as software, databases, and websites
  • Intellectual property, such as patents, copyrights, and trademarks
  • Sensitive information, such as customer data, financial records, and employee files

The inventory should be reviewed and updated on a regular basis, as the organization's information assets are constantly changing.

A.8.1.2 - Ownership of assets:

The ownership of assets is a critical component of any organization’s security posture. The primary purpose of this control is to ensure that only authorized individuals have access to organization assets. This includes all physical and electronic assets, as well as any associated data and information.

Organizations should clearly define and document the roles and responsibilities for asset ownership. This will help to ensure that all assets are accounted for and that unauthorized access is prevented. Furthermore, all changes to asset ownership should be tracked and recorded.

This control is applicable to all organizations regardless of size or industry. In order to effectively implement this control, organizations should take the following steps:

  • Define the roles and responsibilities for asset ownership
  • Develop a process for tracking and approving changes to asset ownership
  • Ensure that all assets are accounted for and that unauthorized access is prevented

A.8.1.3 - Acceptable Use of Assets (Iso 27001) 

The standard specifies the requirements for establishing, implementing, maintaining and documenting a policy for the acceptable use of information and information processing assets.

The requirements of A.8.1.3 are as follows:

  • Establish, implement, maintain and document a policy for the acceptable use of information and information processing assets.
  • Ensure that the policy for the acceptable use of information and information processing assets:
  • Is consistent with the organization's information security policy;
  • Establishes acceptable use criteria for information and information processing assets;
  • Defines the consequences of breaching the policy.

The policy for the acceptable use of information and information processing assets should be reviewed and updated regularly to ensure that it remains relevant and up-to-date.

A.8.1.4 - Return of Assets :

The ownership of assets is a critical component of any organization’s security posture. The primary purpose of this control is to ensure that only authorized individuals have access to organizational assets. This includes all physical and electronic assets, as well as any associated data and information.

Organizations should clearly define and document the roles and responsibilities of asset ownership. This will help to ensure that all assets are accounted for and that unauthorized access is prevented. Furthermore, all changes to asset ownership should be tracked and recorded.

This control is applicable to all organizations regardless of size or industry. To effectively implement this control, organizations should take the following steps:

  • Define the roles and responsibilities for asset ownership
  • Develop a process for tracking and approving changes to asset ownership
  • Ensure that all assets are accounted for, and that unauthorized access is prevented

8.2 Information classification:

What is the objective of Annex A.8.2a?

The purpose of this standard is to provide a framework for the classification of information. This will enable organizations to protect their information assets by determining the level of security required.

The standard is based on the principle that the level of security should be commensurate with the value of the asset to the organization. The value of the asset is determined by its sensitivity and the potential impact of its disclosure.

The standard defines three levels of sensitivity: public, internal, and restricted. Each level has associated with it a set of security controls that must be implemented to protect the information.

The classification of information is a key component of an information security management system (ISMS) and is essential for the proper management of information assets.

A.8.2.1 Classification of Information:

A.8.2.1 Classification of Information (iso 27001) is the process of identifying and classifying information assets. It is a fundamental security control that helps organizations protect their information from unauthorized disclosure.

Classification of information is a three-step process:

  1. Identify the information assets that need to be protected.
  2. Classify the information assets based on their sensitivity.
  3. Label the information assets with the appropriate security classification.

Information classification aims to ensure that information is handled in a manner that protects its sensitivity and integrity. By classifying information, organizations can control who has access to it and how it is used.

Information classification is an important part of an organization’s security program and should be part of the organization’s overall governance framework.

8.2.2 Labelling of information

Labelling of information is the process of assigning labels to information to indicate its level of sensitivity. The purpose of labelling is to help individuals handling the information to apply the appropriate security controls.

The sensitivity of information should be determined by the organization and should be based on an impact assessment. The labels should be legible and should be applied to all information regardless of format (e.g. hardcopy, electronic files, email, etc.).

There are three main types of labels:

- Classification labels: these are used to indicate the sensitivity of the information and the appropriate security controls.

- Handling labels: these are used to indicate special handling instructions, such as the need for encryption or the requirement to destroy the information after a certain period of time.

- Proprietary labels: these are used to protect the information from unauthorized disclosure.

Organizations should have a policy and procedure for labelling information. The policy should specify the types of labels to be used, the sensitivity levels and the security controls for each level, and the process for applying labels to information.

8.2.3 Handling of assets

The objective of 8.2.3 Handling of assets is to ensure that all Information and Communications Technology (ICT) assets are handled, in accordance with organizational procedures, to maintain their confidentiality, integrity, and availability.

To achieve this, there are a number of controls that organizations can implement, such as:

- 8.2.3.1 Physical and environmental security

- 8.2.3.2 Secure locations

- 8.2.3.3 Secure handling

- 8.2.3.4 Information security classification

- 8.2.3.5 Handling of removable media

- 8.2.3.6 Safe disposal or re-use of assets

- 8.2.3.7 Monitoring of assets

Organizations should select and implement the appropriate controls to their particular circumstances and needs.

Organizations need to define and agree on handling assets requirements and security responsibilities before these can be implemented. The management system should include all assets, regardless of their ownership (e.g., system components, devices, information, and people). The handling of assets procedure should ensure that all asset changes are authorized, reviewed, and approved before implementation.

The handling of assets procedure should define the types of changes that require review and approval and the review and approval process. The procedure should also specify who is responsible for each type of change.

The handling of assets procedure should include a process for reviewing and approving changes to the configuration of systems and services. The procedure should specify the types of changes that require review and approval and the review and approval process.

The handling of assets procedure should include a process for reviewing and approving changes to the configuration of systems and services. The procedure should specify the types of changes that require review and approval and the review and approval process.

8.3 Media handling

What is the objective of Annex A.8.3?

Annex A.8.3 of the ISO 27001 standard is titled "Communications and Operations Management". The objective of this Annex is to ensure that the availability of information and associated communication services is managed in a way that meets the organization’s needs.

To do this, the Annex outlines a number of requirements, including:

  • The development of a communication plan
  • The implementation of effective communication protocols
  • The monitoring of communications
  • The management of operations

Annex A.8.3 of ISO 27001 is concerned with protecting information related to research and development (R&D). This annex aims to ensure that information related to R&D is treated with the same level of care and security as other information assets within the organization.

The annex provides guidance on the security controls that should be in place to protect R&D information and the process for managing R&D information security risks. It is important to note that the scope of Annex A.8.3 is limited to information related to R&D and does not include other types of information such as marketing or financial information.

8.3.1 Management of removable media :

8.3.1 Management of removable media (iso 27001) describes the measures that should be implemented to protect against the unauthorized use of data storage media. The standard covers the physical security of media and the logical security of the data itself.

To comply with 8.3.1, organizations must have a policy that covers the use of removable media. The policy should address who is authorized to use removable media, what types of data can be stored on it, and how it should be managed and disposed of.

In addition to having a policy in place, organizations must also ensure that their employees know the risks associated with removable media and how to handle it properly. Employee training is an essential part of compliance with 8.3.1.

Compliance with 8.3.1 will help organizations protect their data and prevent unauthorized access.

The primary objectives of 8.3.1 management of removable media are to ensure that:

  1. Media is only used for authorized purposes.
  2. Media is only handled by authorized personnel.
  3. Media is only removed from the premises by authorized personnel.
  4. Media is only transferred to authorized locations.
  5. Outgoing media is free from malware.
  6. Incoming media is scanned for malware.
  7. Media is stored in a secure location when not in use.

8.Media is eradicated when no longer needed. 

8.3.2 Disposal of media :

As per ISO/IEC 27001, 8.3.2 Disposal of media is the process of sanitizing or destroying all media (electronic or otherwise) that contains information which is no longer required and is due for disposal.

The process of 8.3.2 Disposal of media covers the following objectives:

-Sanitizing all media that is due for disposal

-Destroying all media that is due for disposal

The process of 8.3.2 Disposal of media is important for the following reasons:

  • To prevent any sensitive or confidential information from falling into the wrong hands
  • To ensure that all information that is no longer required is removed from organizational systems.
  • To ensure compliance with any relevant legislation or regulation

When it comes to the disposal of media, there are a number of things to consider. In particular, you need to ensure that data is erased or destroyed in a way that prevents it from being recovered. There are a number of ways to do this, and the most appropriate method will depend on the type of media and the sensitivity of the data.

In general, you should follow the following steps when disposing of media:

  1. Identify the media that needs to be disposed of
  2. Identify the type of data stored on the media
  3. Determine the appropriate disposal method
  4. Destroy the data
  5. Dispose of the media

If you follow these steps, you can be sure that your data will be securely erased, and that the media will be disposed of in a way that prevents it from being recovered.

8.3.3 Physical media transfer:

The 8.3.3 physical media transfer control is designed to protect against unauthorized access to or modification of information assets during their transfer between locations. The control is relevant to any type of physical media, including but not limited to:

  • USB drives
  • External hard drives
  • Optical media (CDs, DVDs)
  • Magnetic media (tapes)

When physical media is transferred between locations, there is a risk that the media may be lost or stolen or that unauthorized individuals may gain access to the data. The 8.3.3 control is designed to mitigate these risks by ensuring that physical media is transferred securely and by authorized personnel only.

The 8.3.3 control requires that the transfer of physical media be conducted securely, using appropriate means of transport (e.g., locked briefcases or security containers). The control also requires that a senior management representative authorize the transfer and that a record of the transfer be maintained

How do you build an Asset Inventory?

The purpose of an asset inventory is to identify and track all of the organization’s physical and logical assets. This includes hardware, software, applications, databases, people, and facilities. The inventory should be kept up-to-date and reviewed on a regular basis.

An asset inventory is a critical part of an organization’s security posture. It helps to ensure that all assets are accounted for and that appropriate security measures are in place. In addition, an inventory can be used to support incident response and forensics activities.

Conclusion:

It is crucial to take the time to determine which information assets in your organization need to be protected as well as how they fit into the framework of your ISMS. You and your organization can identify valuable items that require security by listing the assets.

The other Annex and A.8 Although not required, control sets can help you match your information security procedures with the ISO 27001 framework while ensuring that your organization's information assets are properly protected.