If you are looking at aligning your organisation’s information security management system (ISMS) with the ISO 27001 standard, A.8 controls can help set you up for success. Annex A.8 covers Asset Management and outlines its role in upholding accountability for and assigning responsibility to information assets.
Identifying and implementing the necessary Annex A controls through a risk assessment is the key to ISO 27001 compliance and ensures strong information security practices. In this article, we will explore Annex A.8 in detail, the requirements for effective asset management, the importance of managing your assets in an integrated manner, and how to build an asset inventory.
In this Article
What is Annex A.8?
Annex A.8 is one of the 14 Annex A control sets found in Annex A meant to guide the clauses of the ISO 27001 standard. It focuses on Asset Management, and outlines the requirements and responsibilities for security practices specific to the type of asset. In general, Annex A.8 refers to four types of asset.
To understand the Asset A.8 controls, let’s first explore what asset management is and why it is important.
What is Asset Management?
In short, the concept of asset management can be seen when we take inventory of IT hardware or maintain access logs.
Asset management is based on the idea that it is important to uphold accountability for valuable assets to ensure they are properly protected. Accountability includes identifying, tracking, classifying and assigning ownership to them.
What are the levels/types of assets?
Assets can be loosely defined as anything an organisation deems valuable, and they can extend beyond physical/tangible objects. There are 4 types of assets that include hardware and software, outsourced services such as mail and chat platforms, and infrastructure that may affect the availability of information.
- Human Assets: Employee skills, level of training, and other values such as loyalty.
- Financial assets: Cash, stocks, deposits and other liquid assets that may or may not have an inherent worth or physical form.
- Information assets: Paper or digital documents, passwords and encryption keys, and databases.
- Intangible assets: Licences, trademarks, certifications and other assets that may affect the reputation of an organisation.
Assets influence each other and the other domains of an organisation, and an organisation cannot perform optimally if asset classes operate independently. Therefore, assets must be managed in a way that takes these relationships into account.
For example, the actions and capabilities of employees influence the performance of physical assets. Investments into infrastructure and maintenance services require financial resources. Quality data and information are essential for the development, optimisation and implementation of an asset management plan. The reputation of an organisation can impact operating strategies and infrastructure investments.
Let's take a look at the requirements outlined in Annex A.8 and what the responsibilities (controls) outlined are and how they must be implemented.
1. Annex A.8.1 - Responsibility of assets
The objective of Annex A.8.1 is to identify how information assets fit the scope of the ISMS, and define the protection responsibilities for these assets. Assets may include network equipment and devices, data and information, IT infrastructure and applications, so these responsibilities must be specific to the type of asset.
- A.8.1.1 - Inventory of assets
Control: Information assets and facilities should be identified and documented in an inventory, along with all activities through its lifecycle.
Implementation: The lifecycle of this information must take into consideration its creation, processing, storage, transmission, deletion, and destruction. These activities must be documented in a register or inventory according to the importance of the assets, and then regularly updated, checked for accuracy and matched against other inventories.
- A.8.1.2 - Ownership of assets
Control: All assets must be assigned ownership at the moment of creation.
Implementation: Asset owners may either be individuals, departments or other entities. Asset owners must be responsible for the management of assets throughout their lifecycle, but delegation and transference of ownership are allowed, as long as documented thoroughly.
Asset owners are responsible for:
- Proper maintenance of asset inventories
- Proper asset classification and security
- Reviewing current access management policies and updating them regularly
- Proper deletion and destruction of assets
- A.8.1.3 - Acceptable Use of Assets
Control: An “Acceptable Use Policy” must be created in consideration of all parties who have access to assets.
Implementation: Rules of acceptable use and information security requirements must be made known to all relevant parties who have access to assets, and regularly enforced through training and other activities.
- A.8.1.4 - Return of Assets
Control: Upon termination of a contract or position etc., all parties must return any assets to the organisation.
Implementation: Employees and external stakeholders must return all tangible and electronic assets in their possession to the organisation in the event their contract/agreement is terminated. If the equipment used for company purposes was purchased by the employee/external party, they must follow protocol to transfer any relevant information to the organisation upon termination.
Return of assets must be documented, and non-returns must be logged as security incidents unless agreed and documented as part of the exit process. These obligations must be clearly stated in agreements, and regular audits of assets are required to ensure their protection.
2. Annex A.8.2 - Information Classification
The objective of A.8.2 is to ensure that information assets receive the necessary protection based on their importance as well as in accordance with stakeholder expectations.
- A.8.2.1 - Classification of information
Control: Information must be classified to reflect business activity, in terms of value, legal requirements, and criteria surrounding unauthorised disclosure and modification.
Implementation: Classification must include standards for information sharing and restriction. Related, non-information, assets may also fall under such classification. Proper classification is key to ensuring the protection of information so some organisations may have a few options depending on the value of the information assets.
However, classification options must be kept simple to meet the right number of engineering controls and so as not to confuse users. The effectiveness of classification must be reviewed regularly, and the classification scheme must be kept consistent throughout the organisation.
- A.8.2.2 - Labelling of information
Control: Procedures for labelling must be developed in accordance with the organisation’s classification scheme established in A.8.2.1.
Implementation: These procedures must be made available in physical and electronic formats. Labelling must be easily recognisable, documented and made available to all staff to ensure that they are properly followed. Statements of confidentiality must be expressly stated and labelled.
- A.8.2.3 - Handling of assets
Control: Procedures for the proper handling of assets must be developed in accordance with the classification scheme established in A.8.2.1.
Implementation: These procedures must cover the handling, processing, storing, and communication of classified information.
The following must be considered:
- Access restrictions proportionate to the classification level
- A formal record of approved asset recipients
- Security of an appropriate level
- Manufacturer-specified storage procedures for IT assets
- Clearly marked recipient details on all versions/copies of the media
It may be required to produce a mapping policy to show customers/suppliers etc. that their information assets are being protected.
3. Annex A.8.3 - Media Handling
The objective of this annex is to prevent the unauthorised disclosure, modification, removal or destruction of information assets stored on media.
- A.8.3.1 - Management of removable media
Control: Procedures for the management of removable media must be implemented in accordance with the classification scheme established in A.8.2.1.
Implementation: Media must only be made removable if justified by a business reason, and must be made unrecoverable when no longer required. The general use of removable media must be risk assessed, and its removal must be recorded and require authorisation.
When necessary, added security measures, such as cryptographic keys, must be applied. Media should be stored according to manufacturer specifications, and copies should be stored across different formats to prevent total accidental loss or damage.
- A.8.3.2 - Disposal of media
Control: Media must be disposed of in accordance with documented procedures, once no longer required.
Implementation: Procedures for the disposal of media are required to prevent the unauthorised leakage of confidential information. These procedures must depend on the sensitivity and confidentiality of the information in question.
Confidential media must be disposed of through physical means such as shredding or incineration, or through data erasure. Assets which require secure disposal must be identified. Data disposal must be logged to maintain an audit trail, and it is best to dispose of media collectively, in one go.
- A.8.3.3 - Physical media transfer
Control: Media containing information assets must be protected during transportation unless already publicly available.
Implementation: Reliable couriers should be agreed upon with management, protective packaging must be used to prevent physical damage, and all transport activities should be logged. Logs must include security measures applied, transfer times and details of custodians. Extra care must be taken in the case of unencrypted media.
What are the other Annex A control categories?
The other 13 categories of Annex A controls cover other domains of an organisation that require management for the protection of information assets:
- A.5 - Information Security Policies
- A.6 - Organisation of Information Security
- A.7 - Human Resources Security
- A.9 - Access Control
- A.10 - Cryptography
- A.11 - Physical and Environmental Security
- A.12 - Operational Security
- A.13 - Communications Security
- A.14 - Systems Acquisition, Development and Maintenance
- A.15 - Supplier Relationships
- A.16 - Information Security Incident Management
- A.17 - Information Security aspects of Business Continuity Management
- A.18 - Compliance
When combined, Annex A can be used as a list of ISO 27001 controls, and while not mandatory, organisations should identify and implement controls that best align with stakeholder expectations of information security.
Achieving ISO 27001 compliance includes many policies and guidelines, as well as several documents that may make the compliance process seem daunting to those who are unfamiliar. Read our comprehensive guide to ISO 27001 requirements to find out what you need to get started.
How do you build an Asset Inventory?
It is vital to know which assets your organisation possesses, who is responsible for their management and how they must be handled.
Building an asset inventory is best done during the risk assessment process of implementing your ISMS, using a “describe what you see” approach to take all assets in use into account. This includes all softwares installed and physical storage (cabinets etc) tied to the information in question.
Consider including the following information in your asset inventory:
- Asset name
- Asset ownership
- Asset category
- Asset location
- Any relevant notes
It is important to take time to identify which information assets require protection and how they fit into the scope of your organisation’s ISMS. Listing assets helps you and your organisation identify what is of value and in need of protection.
A.8 and the other Annex A control sets are vital to the proper protection of your organisation’s information assets, and, though not mandatory, help you align your information security practices with the ISO 27001 framework.
If you wish to pursue ISO 27001 certification for your organisation, or simply want to strengthen your info-sec practices, schedule a no-obligation phone call with one of our experts to learn more!