Asset Management (ISO 27001)

Asset management is about mapping, classifying and protecting all the information assets your organisation depends upon. In ISO 27001, asset management is the foundation of the risk assessment, as risks can only be evaluated when you know what needs to be protected.

Back to Dictionary

What is asset management?

An information asset is anything that holds value for the organisation from an information security perspective. Asset management is the process of identifying these assets, assigning owners, classifying them by sensitivity and ensuring they are appropriately protected.

Asset management is closely linked to risk assessment: without a current and complete asset overview, it is impossible to evaluate which risks threaten the organisation’s information.

Types of information assets

Information assets can be divided into several categories:

Information assets: Databases, documentation, contracts, business information.
Software assets: Business systems, operating systems, development tools.
Physical assets: Servers, computers, network equipment, mobile devices.
Service assets: Cloud services, communication services, utilities.
Human assets: Employees’ knowledge and competencies.
Intangible assets: Reputation, brand value.

The asset register

An asset register (asset inventory) is a documented overview of all the organisation’s information assets. ISO 27001 Annex A control 5.9 requires an inventory of information assets and other associated assets. The register must be maintained and kept up to date. For a CIS-focused approach to hardware inventory, see Asset Inventory (CIS Control 1).

Start simple: You do not need to map every single piece of hardware. Focus on the assets that are critical to the business or that contain sensitive information. A pragmatic asset register is better than a perfect register that never gets finished.

Classification and ownership

Each asset must have a designated owner (asset owner) who is responsible for the asset’s correct classification and protection. Classification is typically based on the asset’s confidentiality, integrity and availability (the CIA triad) and determines which security controls should be applied.

Frequently Asked Questions about Asset Management in ISO 27001

What is an information asset?

An information asset is anything that holds value for the organisation from an information security perspective. This includes databases, software systems, hardware, cloud services, employee knowledge and even intangible assets such as reputation.

Why is asset management important in ISO 27001?

Asset management is the foundation of the risk assessment process. Without knowing what assets you have, you cannot evaluate the risks that threaten them or determine appropriate security controls.

What is an asset register?

An asset register is a documented inventory of all the organisation’s information assets. ISO 27001 Annex A control 5.9 requires this inventory to be established and maintained.

Who should be the asset owner?

The asset owner is typically the person or team most knowledgeable about the asset and its business value. They are responsible for ensuring correct classification and appropriate protection of the asset.

How detailed does the asset register need to be?

The level of detail should be proportionate to your organisation’s size and risk profile. Focus on business-critical assets and those containing sensitive information. A pragmatic register is better than an overly detailed one that is never completed.