ISO27001 Asset Management Policy Beginner’s Guide

ISO27001 Asset Management Policy Beginner's Guide

In this article we lay bare the ISO27001 Asset Management Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Asset Management Policy

Asset Management Policy

The ISO 27001 asset management policy ensures the correct assets are identified and protected. We cannot protect what we do not know.

Asset management is one of the most time consuming activities that you will undertake. The asset management policy sets out what the company does when it comes to asset management. It is your blue print for the asset management life cycle.

How does the asset management policy work?

When it comes to cyber security, you cannot protect what you do not know. Having an understanding of what you have, what computers, what data, what mobiles is fundamental in ensuring you have the right protection in place to protect them.

An asset management policy will set out what you do for managing those assets.

ISO27001 Asset Management Policy-Black

Asset Management Policy Template

As an ISO 27001 template, the asset management policy template will fast track your implementation saving you hours of research and writing.

The asset management lifecycle and policy

The asset management lifecycle is concerned with how you acquire, or purchase, assets. Then how you deploy them. It covers how you transport them, how you record them, how you allocate them, how you return them, how you reissue them and ultimately how you destroy them. The policy should cover all of these steps.

It seems simple. Just write down all the devices that you have. It is that simple but I am never surprised when even companies of less than 10 people struggle to know what they actually have.

Your asset management policy will cover every device that can store, process and transmit data. We are looking at the easy things like laptops, tablet, phones but we are also looking at switches and routers. Perhaps printers with memory. Perhaps removable storage. Can it store, process or transmit data? If the answer is yes, it is covered by the policy.

Does the policy include people’s personal devices?

Yes. Yes it does. If they want to use it to access our systems and our data.

Asset management policy contents summary

Information and information processing, storing and transmitting devices are identified and an inventory of these assets is drawn up and maintained. Ownership of assets is identified, agreed and documented along with roles and responsibilities. The acceptable use of assets is covered as is the return of assets. The use of asset registers is included.

Asset management fits as part of a comprehensive information security management system that we explore on our ISO 27001 Templates Documents Ultimate Guide.

Downloadable Asset Management Templates

The following asset management templates will help you with asset management.

Asset Management Policy FAQ

Where can I get an Asset Management Policy template?

The asset management template can be found here – It covers the requirements of ISO 27001 and other standards and is an important document for knowing what to protect as well as controlling assets.

What is an asset management policy?

An asset management policy is a document that lays out what you do for the management of physical and data assets. It is a statement of what you do not how you do it. How you do it is located in your process, procedure and operating documents.

What is included in an asset management policy?

An asset management policy contains as a minimum:
Document Version Control
Document Contents Page
Asset Management Policy
Inventory of Asset
Ownership of Assets
Acceptable use of assets
Return of Assets
Policy Compliance
Compliance Measurement
Continual Improvement

What is the purpose of the asset management policy?

The purpose of this policy is the identification and management of assets.

What is the scope of the asset management policy?

The scope of the asset management policy is all company employees and external party users. The scope covers all company information and physical assets.

What is the principle behind the asset management policy?

The asset management principle is that company assets are known, identified and managed with appropriate protection in place.

How do you record and manage assets?

For recording and managing assets you need and Inventory of Assets. Information and information processing, storing and transmitting devices are identified and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name
• The asset owner
• The importance of the asset
• The classification of the asset
For physical assets additionally, at least the following is recorded
• Asset number
• Serial number
• Whether in use
• Last checked by and date
• What the asset does

Who owns assets and what are they responsible for?

Individuals, roles or teams are assigned ownership of assets.
Asset owners ensure assets are inventoried.
Asset owners ensure assets are appropriately classified and protected.
Asset owners ensure the proper handling when the asset is deleted or destroyed in line with the Information Classification and Handling Policy.
The asset owner may delegate routine tasks.

Is the asset management policy required for ISO 27001 certification?

Yes. The asset management policy is required for ISO 27001 certification.

Why IT asset management is important

IT asset management is important because you can control what you do not know. If we do not know what we have, how can we control it? Having an effective asset management life cycle that covers the asset from purchase to disposal with the appropriate IT technical controls on the asset will allow us secure our business and the information on which the business relies.

Asset Management Policy Example PDF

If you want to have a look at an example asset management policy PDF click the link. It is redacted in places but gives you a good idea of what good looks like.

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart