Search in ISMS Guides


Tuesday, July 24, 2007

4. Asset management (ISO)

Responsibility for assets

The objective of this category is to achieve and maintain appropriate protection of organizational assets.

Inventory of assets • All significants asset should be clearly identified and accounted for in an inventory listing, and have assigned owners (contollers) who are responsible for their appropriate protection. Control includes listings of:

  • type of asset, including specification of make/model/format, creation/manufacture date and any other information necessary to specify type;
  • assigned owner;
  • location (logical or physical location, range of physical locations if portable);
  • backup information (if appropriate);
  • license information (if appropriate);
  • business value, security classification and level of protection; and
  • any additional data necessary to allow recovery from a disaster or otherwise assure continuity of operations.

Asset types subject to this control may include, depending on organizational requirements:

  • information in databases or data files, systems documentation, contracts or agreements, research information, user manuals, training materials, operational or support procedures;
  • software assets, including application and system software, development tools and utilities;
  • physical assets, including computer and communications equipment, fixed location and removable storage media;
  • services, including general utilities like HVAC, lighting and power supply;
  • people, including their qualifications and experience;
  • intangibles, such as reputation and image of the organization.

Authorities: ISO-27002:2005 7.1.1.

Ownership of assets • All information and assets associated with information processing facilities should be "owned" by a designated part of the organization. Control includes:

  • asset owner responsibilities for ensuring appropriate classification of and information on each owned asset; and
  • definition and periodic review of access restrictions and other controls associated with the asset.

Authorities: ISO-27002:2005 7.1.2.

Acceptable use of assets • Rules for the acceptable use of information and other assets associated with information processing facilities should be identified, documented and implemented. Control includes:

  • guidelines/rules for use of services (e.g., email, Internet);
  • guidelines/rules for use of on-site systems and devices;
  • guidelines/rules for mobile devices and non-mobile devices used off-site; and
  • asset users' awareness of these guidelines/rules, including an appropriate educational program.

Authorities: ISO-27002:2005 7.1.3.

Information classification

Control objective: To ensure that information receives an appropriate level of protection.

Classification guidelines • Information and information processing facilities should be classified in terms of value and criticality to the organization, sensitivity and legal requirements. Control includes:

  • assigning responsibility for the asset owner or other appropriate party to make this classification;
  • periodic review to ensure that classifications appropriately reflect business needs, legal-regulatory-certificatory requirements and balance confidentiality-integrity-availability concerns again other goals.

Authorities: ISO-27002:2005 7.2.1.

Information labelling and handling • An appropriate set of procedures for information labelling and handling should be developed by each information owner, and implemented in accordance with the classification scheme(s) adopted by the organization. Control includes:

  • classifications that cover information in all forms and media; and
  • procedures for chain of custody;
  • procedures for logging and reporting relevant security incidents and events.

Authorities: ISO-27002:2005 7.2.2.

Article By :

No comments: