Scribd
Upload
127 views2 pages

Inventory and Ownership of Assets (Tier 2) : Buy The Full ISMS ISO 27001: 2013 Documentation Toolkit Here

This document outlines an organization's procedure for inventorying and tracking ownership of information assets. It describes maintaining an inventory divided into hardware, software, information assets, and intangible assets. For each asset, it records identification details, location, security classification, value, and associated controls. It also identifies asset owners responsible for maintenance and access controls.

Uploaded by

Flamur Prapashtica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
127 views2 pages

Inventory and Ownership of Assets (Tier 2) : Buy The Full ISMS ISO 27001: 2013 Documentation Toolkit Here

This document outlines an organization's procedure for inventorying and tracking ownership of information assets. It describes maintaining an inventory divided into hardware, software, information assets, and intangible assets. For each asset, it records identification details, location, security classification, value, and associated controls. It also identifies asset owners responsible for maintenance and access controls.

Uploaded by

Flamur Prapashtica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Document Control

Reference: ISMS-C DOC


INVENTORY AND OWNERSHIP OF 8.1.1
ASSETS (TIER 2) Issue No:
Issue Date:
Page: 1 of 2

This is a toolkit trial version only -


Buy the full ISMS ISO 27001: 2013 Documentation Toolkit
here

1 Scope1

All of Organisation Name’s information assets are inventoried, in line with this
procedure.

2 Responsibilities

2.1 The Finance Director (CFO) is responsible for implementing and maintaining the
asset inventory.
2.2 All asset [owners] (as defined below) are responsible for providing the information
required under this procedure and for ensuring that it is maintained and kept up to
date.

3 Procedure [ISO27002 Clause 8.1.1]

3.1 Organisation Name maintains a [single] inventory of information assets, which is Commented [A1]: You need to decide how you link and
subdivided into a hardware inventory [], a software log [], an information asset reconcile this to your financial fixed asset register, and include that
detail here in this clause
database [], and a schedule of intangible assets []. In addition, Organisation Name
maintains a schedule of key information-related services [] and management is
aware of those individuals whose skills, knowledge and experience are considered
essential.
3.2 [This inventory is the asset inventory that is used in the risk assessment process Commented [A2]: If you are using an asset-based risk assessment
(see [].] methodology.
3.3 For each asset, Organisation Name documents sufficient information to identify the
asset [], identifies the physical (or logical) location of the asset, information
security classification of each asset, the [purchase cost/current written down
value/insurance value/all three] for each asset, and the security processes or
controls (including access controls, backups, etc.) associated (following a risk
assessment) with each asset (see control section []).
3.4 For each asset, Organisation Name identifies the business unit or business role that
‘owns’ the asset. For software, the [owner] is its trained system administrator. The
[owner] is responsible for ensuring that the asset is correctly classified, for the day
to day maintenance of the identified controls (see control section []), that access

1
The schedules should be customised to detail the information you are documenting, and they should be
reconciled to the financial ledgers – or this information can be integrated into the financial register – if you do
this, you will need to be careful that you don’t create information classification conflicts, where those who need
to see one part of the data can’t. These schedules can also be kept in databases. See Chapter 8 of IT
Governance: An International Guide to Data Security and ISO27001/ISO27002 for more information on Asset
Management. For assets present at the point of commencing the planning phase of the cycle, use that date and
a single standard methodology for each aspect, such as valuation, classification, etc. – note the methodology
you use in an annex to the schedule.
Organisation Name Classification_3

Customisable PROCEDURE template v3.0


Comments to [email protected]
© IT Governance Ltd 2015
www.itgovernance.co.uk
Document Control
Reference: ISMS-C DOC
INVENTORY AND OWNERSHIP OF 8.1.1
ASSETS (TIER 2) Issue No:
Issue Date:
Page: 2 of 2

controls (see control section []) are defined and periodically reviewed, and that
vulnerabilities are identified and patched in line with [].
3.5 Organisation Name groups some assets together into composite information
‘systems’, in which case it identifies the assets within the system and the [owner]
is the business unit or role responsible for the system.
3.6 [Owners] may delegate routine tasks, in respect of their assets or systems, in line
with section [].
3.7 All new information assets are added to the appropriate schedule as and when they
are acquired [], together with details of the required security processes/controls,
and removed from the schedule when they are disposed of [].

Document Owner and Approval

The Information Security Manager is the owner of this document and is responsible
for ensuring that this procedure is reviewed in line with the review requirements of
the ISMS.

A current version of this document is available to [all/specified] members of staff


on the [corporate intranet] and is published [ ].

This procedure was approved by the Chief Information Security Officer (CISO) on
[date] and is issued on a version controlled basis under his/her signature.

Signature: Date:

Change History Record

Issue Description of Change Approval Date of Issue


1 Initial issue <Manager> Xx/yy/zz

This is a toolkit trial version only -


Buy the full ISMS ISO 27001: 2013 Documentation Toolkit
here

Organisation Name Classification_3

Customisable PROCEDURE template v3.0


Comments to [email protected]
© IT Governance Ltd 2015
www.itgovernance.co.uk

You might also like