There are two reasons why managing assets is important:ġ) Assets are usually used to perform the risk assessment – although not mandatory by ISO 27001:2022, assets are usually the key element of identifying risks, together with threats and vulnerabilities. Why are assets important for information security management? A.5.11 – Return of assets: upon termination of business relations, all users in possession of information assets need to return them to the organization.A.5.10 – Acceptable use of information and other associated assets: rules for proper use of assets need to be defined, documented, and implemented.Asset ownership is one of the fundamental concepts in ISO 27001. A.5.9 – Inventory of information and other associated assets: all information and related assets need to be identified and have an owner responsible for protecting the confidentiality, integrity, and availability of the information.Outsourced services – e.g., legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.Īlthough ISO 27001 does not have a formal definition for asset management, it has three specific controls in its Annex A to ensure proper asset management (which can be understood in an ISO 27001 context as ensuring the asset protection while the asset is important to the organization):.People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.Infrastructure – e.g., offices, electricity, air conditioning – because those assets can cause lack of availability of information.
Since ISO 27001 focuses on preservation of confidentiality, integrity and availability of information, this means that assets can be:
0 kommentar(er)
