ISO 27001 Annex A.8 – Asset Management
Simplifying Information Security Certification
What is the objective of ISO 27001 Annex A.8.1?
Annex A.8.1 ‘Responsibility for assets’ requires the company to identify its assets and define appropriate protection responsibilities.
A.8.1 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the four controls listed below.
A.8.1.1 Inventory of Assets
Annex 8.1.1 or Control A.8.1.1 stipulates that any assets associated with information and its processing should be identified and recorded in a register that is maintained. Adoptech provides an Information Risk Register as well as an Asset Register for physical assets.These registers facilitate this control, enabling the asset to be classified and the assigned owner to easily monitor and ensure effective protection is maintained throughout the asset’s life cycle.
A.8.1.2 Ownership of Assets
Annex 8.1.2 or Control A.8.1.2 requires an owner to be assigned to every asset in the Information Risk Register. The owner may change throughout the asset’s life cycle but the responsibilities will be the same. Tasks required to ensure appropriate protection can be delegated but the owner is ultimately responsible for monitoring the asset and ensuring compliance.
The owner is responsible for:
- ensuring assets are inventoried, appropriately classified and protected
- defining and reviewing access restrictions and classifications
- ensuring proper handling when the asset is deleted or destroyed.
A.8.1.3 Acceptable use of Assets
Annex 8.1.3 or Control A.8.1.3 states that rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented.
Adoptech’s Acceptable Use Policy outlines the rules related to the use of these assets and the platform supports sharing this policy with staff and tracking that they have read and understood the policy. Educating staff on the acceptable use of assets should be part of the company’s training programme.
A.8.1.4 Return of Assets
Annex 8.1.4 or Control A.8.1.4 outlines that anyone that has been in receipt of the company’s assets should return them upon termination of their employment, contract or agreement.
The Leaver’s checklist available in the Adoptech platform is a great way to ensure:
- the company’s physical and electronic assets are returned
- all relevant information is transferred to the company and securely erased from equipment owned by the individual or external party (see 11.2.7).
- knowledge that is important to ongoing operations is documented.
Unless otherwise agreed, where assets are not returned according to the leaver’s process, the non-return should be raised as a security incident in line with Annex A.16.
Start simplifying your Information Security Certification
What is the objective of Annex A.8.2?
Annex A.8.2 ‘Information classification’ requires the company to ensure that information receives an appropriate level of protection in accordance with its importance to the company.
A.8.2 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the three controls listed below.
A.8.2.1 Classification of Information
Annex 8.2.1 or Control A.8.2.1 requires information to be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. The classification should be relevant to the company’s processes and should not complicate them. For example, publicly available information e.g. on a website should be labelled ‘public’ whereas confidential or commercially sensitive information requires a higher level of classification.
Adoptech’s Information Classification Policy will help you create a simple yet effective system.
A.8.2.2 Labelling on Information
Annex 8.2.2 or Control A.8.2.2 requires an appropriate set of procedures for information labelling to be developed and implemented in accordance with the information classification scheme outlined in the Information Classification Policy which is available on the Adoptech platform.
A.8.2.3 Handling of Assets
Annex 8.2.3 or Control A.8.2.3 stipulates that procedures for handling assets should be developed and implemented in accordance with the information classification scheme. Adoptech provides an Information Classification Policy and Records and Information Management Policy to help companies with this control.
Areas to consider include:
- access restrictions and relevant protection for information at each level of classification
- storage in accordance with manufacturers’ specifications
- maintenance of a formal record of the authorised recipients of assets.
Start simplifying your Information Security Certification
What is the objective of Annex A.8.3?
Annex A.8.3 ‘Media handling’ aims to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
A.8.3 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the three controls listed below.
A.8.3.1 Management of removable media
Annex 8.3.1 or Control A.8.3.1 aims to ensure procedures are implemented for the management of removable media in accordance with the company’s classification scheme.
Quite often this control is managed by prohibiting the use of removable media such as USB devices, which can be communicated through Adoptech’s Application and Network Security Policy. However, where removable media devices are permitted, the use should be risk assessed and an individual’s responsibilities for their use and the protection of the data stored on them should be communicated through Adoptech’s Records and Information Management Policy.
A.8.3.2 Disposal of media
The objective of Annex 8.3.2 or Control A.8.3.2 is to ensure media is disposed of securely when no longer required, using formal procedures that minimise the risk of confidential information leakage. Adoptech’s Records and Information Management Policy and Clear Desk and Clear Screen Policy can be used for this control, ensuring the procedures are proportional to the sensitivity of the information being disposed of and also ensuring that processes are in place so that records pending audit, litigation or investigation are not destroyed.
A.8.3.3 Physical Media transfer
Annex 8.3.3 or Control A.8.3.3 requires that all media containing information are protected against unauthorised access, misuse or corruption when being transferred.
Confidential information should be encrypted during transport, this is covered by Adoptech’s Encryption and Key Management Policy. On the rare occasions that information is delivered via letter/paper, if it is confidential it should be sent using a reputable postal service/courrier and be signed for on receipt.
Do you need more info about ISO 27001? Take a look at our InfoSec Certification Guide
Annex A Domains & Controls
A.9 – Access control
A.9.1.1 – Access control policy
A.9.1.2 – Access to networks and network services
A.9.2.1 – User registration and de-registration
A.9.2.2 – User access provisioning
A.9.2.3 – Management of privileged access rights
A.9.2.4 – Management of secret authentication information of users
A.9.2.5 – Review of user access rights
A.9.2.6 – Removal or adjustment of access rights
A.9.3.1 – Use of secret authentication information
A.9.4.1 – Information access restriction
A.9.4.2 – Secure log-on procedures
A.9.4.3 – Password management system
A.9.4.4 – Use of privileged utility programs
A.9.4.5 – Access control to program source code
A.11 – Physical and environmental security
A.11.1.1 – Physical security perimeter
A.11.1.2 – Physical entry controls
A.11.1.3 – Securing offices, rooms and facilities
A.11.1.4 – Protecting against external and environmental threats
A.11.1.5 – Working in secure areas
A.11.1.6 – Delivery and loading areas
A.11.2.1 – Equipment siting and protection
A.11.2.2 – Supporting utilities
A.11.2.3 – Cabling security
A.11.2.4 – Equipment maintenance
A.11.2.5 – Removal of assets
A.11.2.6 – Security of equipment and assets off-premises
A.11.2.7 – Secure disposal or reuse of equipment
A.11.2.8 – Unattended user equipment
A.11.2.9 – Clear desk and clear screen policy
A.12 – Operations security
A.12.1.1 – Documented operating procedures
A.12.1.2 – Change management
A.12.1.3 – Capacity management
A.12.1.4 – Separation of development, testing and operational environments
A.12.2.1 – Controls against malware
A.12.3.1 – Information backup
A.12.4.1 – Event logging
A.12.4.2 – Protection of log information
A.12.4.3 – Administrator and operator logs
A.12.4.4 – Clock synchronization
A.12.5.1 – Installation of software on operational systems
A.12.6.1 – Management of technical vulnerabilities
A.12.6.2 – Restrictions on software installation
A.12.7.1 – Information systems audit controls
A.13 – Communications Security
A.13.1.1 – Network controls
A.13.1.2 – Security of network services
A.13.1.3 – Segregation in networks
A.13.2.1 – Information transfer policies and procedures
A.13.2.2 – Agreements on information transfer
A.13.2.3 – Electronic messaging
A.13.2.4 – Confidentiality or nondisclosure agreements
A.14 – Systems acquisition, development and maintenance
A.14.1.1 – Information security requirements analysis and specification
A.14.1.2 – Securing application services on public networks
A.14.1.3 – Protecting application services transactions
A.14.2.1 – Secure development policy
A.14.2.2 – System change control procedures
A.14.2.3 – Technical review of applications after operating platform changes
A.14.2.4 – Restrictions on changes to software packages
A.14.2.5 – Secure system engineering principles
A.14.2.6 – Secure development environment
A.14.2.7 – Outsourced development
A.14.2.8 – System security testing
A.14.2.9 – System acceptance testing
A.14.3.1 – Protection of test data
A.15 – Supplier relationships
A.15.1.1 – Information security policy for supplier relationships
A.15.1.2 – Addressing security within supplier agreements
A.15.1.3 – Information and communication technology supply chain
A.15.2.1 – Monitoring and review of supplier services
A.15.2.2 – Managing changes to supplier services
A.16 – Information security incident management
A.16.1.1 – Responsibilities and procedures
A.16.1.2 – Reporting information security events
A.16.1.3 – Reporting information security weaknesses
A.16.1.4 – Assessment of and decision on information security events
A.16.1.5 – Response to information security incidents
A.16.1.6 – Learning from information security incidents
A.16.1.7 – Collection of evidence
A.17 – Information security aspects of business continuity management
A.17.1.1 – Planning information security continuity
A.17.1.2 – Implementing information security continuity
A.17.1.3 – Verify, review and evaluate information security continuity
A.17.2.1 – Availability of information processing facilities
A.18 – Compliance
A.18.1.1 – Identification of applicable legislation and contractual requirements
A.18.1.2 – Intellectual property rights
A.18.1.3 – Protection of records
A.18.1.4 – Privacy and protection of personally identifiable information
A.18.1.5 – Regulation of cryptographic controls
A.18.2.1 – Independent review of information security
A.18.2.2 – Compliance with security policies and standards
A.18.2.3 – Technical compliance review
Some of the companies trusting Adoptech
