Scribd
Upload
47 views3 pages

Asset Management

Annex A.8.2 of ISO 27001:2013 discusses information classification with the objective of ensuring information receives protection based on its importance. It addresses classifying information based on legal, value, and sensitivity factors. Information classification is a key control to adequately protect assets based on their value and importance. The annex also discusses labeling information according to the classification scheme and developing procedures for handling assets in accordance with the classification scheme and access restrictions.

Uploaded by

Taimoor Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views3 pages

Asset Management

Annex A.8.2 of ISO 27001:2013 discusses information classification with the objective of ensuring information receives protection based on its importance. It addresses classifying information based on legal, value, and sensitivity factors. Information classification is a key control to adequately protect assets based on their value and importance. The annex also discusses labeling information according to the classification scheme and developing procedures for handling assets in accordance with the classification scheme and access restrictions.

Uploaded by

Taimoor Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

A.8.1.

1 Inventory of Assets

Any assets associated with information and information processing facilities need to be identified
and managed over the lifecycle, always up to date. A register or inventory of those assets has to be
put together that shows how they are managed and controlled, based around their importance
(which also dovetails neatly into information classification below). This lifecycle of the information
generally includes creation, processing, storage, transmission, deletion and destruction stages.

A.8.1.2 Ownership of Assets

All information assets must have owners. Asset management ownership can be different to legal
ownership too, and it can be done at an individual level, department, or other entity. Ownership
should be assigned when the assets are created.

The asset owner is responsible for the effective management of the asset over the whole of the
asset’s lifecycle. They can delegate management of that too and ownership can change during
that lifecycle as long as both are documented.

A.8.1.3 Acceptable Use of Assets

Acceptable use of information and of assets is important to get right. Rules for acceptable use of
assets is often documented in an “Acceptable Use Policy”. The rules for acceptable use must take
into consideration employees, temporary staff, contractors and other third parties where applicable
across the information assets they have access to. It is important that all relevant parties have
access to the set of documented acceptable use rules and these are reinforced during regular
training and information security awareness, compliance-related activity.

A.8.1.4 Return of Assets

All employees and external party users are expected to return any organisational and information
assets upon termination of their employment, contract or agreement. As such it must be an
obligation for employees and external users to return all the assets and these obligations would be
expected in the relevant agreements with staff, contractors and others. A solid, documented
process is also required to ensure that the return of assets is appropriately managed and can be
evidenced for each person or supplier that goes through it – this aligns with the exit controls
in Annex 7 for Human Resource Security and Annex 13.2.4 for confidentiality agreements, and
Annex A.15 for supplier activity. Where assets are not returned according to the process, unless
otherwise agreed and documented as part of the exit process, the non-return should be logged as
a security incident and followed-up in line with Annex A.16. The return of assets procedure is never
fool proof and this also underlines the need for periodic audit of assets to ensure their continued
protection.

What is the objective of Annex A.8.2 of ISO 27001:2013?


Annex A.8.2 is about information classification. The objective in this Annex is to ensure that
information receives an appropriate level of protection in accordance with its importance to the
organisation (and interested parties such as customers).

A.8.2.1 Classification of Information

Information must be classified in terms of legal requirements, value, criticality and sensitivity to any
unauthorised disclosure or modification, ideally classified to reflect business activity rather than
inhibit or complicate it. For example, information made publically available e.g. on a website might
just be marked ‘public’ whereas confidential or commercial in confidence are obvious for the
information being more sensitive than public.

Information classification is one of the key controls used to ensure that assets are adequately and
proportionately protected. Many organisations have 3-4 classification options to allow effective
management of the information taking into account its value and importance. It can, however, be
as simple or as complex as required to ensure the correct level of granularity for the protection of
assets. Remember if you keep it really simple and have too few classifications that might mean you
are over or under engineering controls. Too many classification options are likely to confuse end
users on what one to adopt and create additional overhead on the management scheme. As with
all controls, this one needs to be reviewed regularly to ensure its ongoing fitness for purpose.

A.8.2.2 Labelling of Information

An appropriate set of procedures for information labelling must be developed and implemented in
accordance with the information classification scheme adopted by the organisation. Procedures for
information labelling will need to cover information and related assets in both physical and
electronic formats. This labelling should reflect the classification scheme established in 8.2.1. The
labels should be easily recognisable and easy to manage in practice otherwise they will not get
followed. For example, it could be easier to de facto decide that everything is confidential in the
digital systems unless expressly labelled otherwise, rather than get staff to label every CRM update
with a commercial in confidence statement! Be clear on where this de facto labelling is being done
and document it in your policy then remember to include it in the training for staff.

A.8.2.3 Handling of Assets

Procedures for handling assets need to be developed and implemented in accordance with the
information classification scheme. The following should be considered; Access restrictions for each
level of classification; Maintenance of a formal record of the authorised recipients of assets; Storage
of IT assets in accordance with manufacturers’ specifications, marking of media for authorised
parties.

If the organisation handles information assets for customers, suppliers and others, it is important
to either demonstrate a mapping policy e.g. customer classification of official sensitive maps to our
organisation of commercial in confidence, or that the additional classification would be dealt with
in other ways to show it is being protected.

You might also like