ISO 27001 Asset Management Policy: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Asset Management Policy: Ultimate Guide

Introduction

In this ultimate guide I show you everything you need to know about the ISO 27001 Asset Management Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We will get to grips with what asset management is, understand why organisations need an Asset Management Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this template

I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Asset Management Policy.

What is an ISO 27001 Asset Management Policy?

The ISO 27001 Asset Management Policy sets out the guidelines and framework for how identify, protect and manage assets. It covers the entire lifecycle from acquiring the asset, using the asset to ultimately destroying the asst. It ensures the correct assets are identified and protected. We cannot protect what we do not know.

Asset management is one of the most time consuming activities that you will undertake. The asset management policy sets out what the company does when it comes to asset management. It is your blue print for the asset management life cycle.

ISO 27001 Asset Management Policy Template

The ISO 27001 Asset Management Policy Template is pre written and ready to go. It will fast track your implementation saving you hours of research and writing. ISO 27001 templates are an absolute time and life saver.

ISO 27001 Asset Management Policy Template

Downloadable Asset Management Templates

The following individual asset management templates will help you with asset management. They form part of the Ultimate ISO 27001 Toolkit.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

What is the Purpose of the ISO 27001 Asset Management Policy?

The purpose of the ISO 27001 Asset Management Policy is to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.

What is the ISO 27001 Asset Management Principle?

All assets are identified, classified and protected throughout their lifecycle from creation / acquisition through to destruction. The principle is that we cannot protect what we do not know.

How does the ISO 27001 asset management policy work?

When it comes to cyber security, you cannot protect what you do not know. Having an understanding of what you have, what computers, what data, what mobiles is fundamental in ensuring you have the right protection in place to protect them.

An ISO 27001 Asset Management Policy will set out what you do for managing those assets.

Asset Management Lifecycle

The asset management lifecycle is concerned with how you acquire, or purchase, assets. Then how you deploy them. It covers how you transport them, how you record them, how you allocate them, how you return them, how you reissue them and ultimately how you destroy them. The policy should cover all of these steps.

It seems simple. Just write down all the devices that you have. It is that simple but I am never surprised when even companies of less than 10 people struggle to know what they actually have.

Your asset management policy will cover every device that can store, process and transmit data. We are looking at the easy things like laptops, tablet, phones but we are also looking at switches and routers. Perhaps printers with memory. Perhaps removable storage. Can it store, process or transmit data? If the answer is yes, it is covered by the policy.

Does the policy include people’s personal devices?

Yes. Yes it does. If they want to use it to access our systems and our data.

What should ISO 27001 Asset Management Policy Contain?

Information and information processing, storing and transmitting devices are identified and an inventory of these assets is drawn up and maintained. Ownership of assets is identified, agreed and documented along with roles and responsibilities. The acceptable use of assets is covered as is the return of assets. The use of asset registers is included. The following is the content structure for the policy which you can see in the example ISO 27001 asset management policy pdf.

  • Document Contents Page
  • Document Version Control
  • Document Contents Page
  • Asset Management Policy
  • Purpose
  • Scope
  • Principle
  • Inventory of Physical and Virtual Assets
  • Inventory of Data Assets
  • Inventory of Software Licence Assets
  • Ownership of Assets
  • Acceptable use of assets
  • Return of Assets
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement
  • Areas of the ISO 27001 Standard Addressed

Asset management fits as part of a comprehensive information security management system that we explore on our ISO 27001 Templates Documents Ultimate Guide.

ISO 27001 Asset Management Policy Example

If you want to have a look at an example ISO 27001 asset management policy PDF click the link. It is redacted in places but gives you a good idea of what good looks like.

Here is an extract.

ISO 27001-Asset-Management-Policy-Example-1
ISO 27001 Asset Management Policy Example 2
ISO 27001 Asset Management Policy Example 3
ISO 27001 Asset Management Policy Example 4
ISO 27001 Asset Management Policy Example 5
ISO 27001 Asset Management Policy Example 6

Relevant ISO 27001 Controls

The following are ISO 27001 controls relevant to asset management to consider for further reading:

ISO 27001 Annex A 5.9 Inventory of information and other associated assets 

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 7.9 Security of assets off-premises

ISO 27001 Asset Management Policy FAQ

Where can I get an Asset Management Policy template?

The ISO 27001 asset management template can be found at High Table. It covers the requirements of ISO 27001 and other standards and is an important document for knowing what to protect as well as controlling assets.

What is an asset management policy?

An asset management policy is a document that lays out what you do for the management of physical and data assets. It is a statement of what you do not how you do it. How you do it is located in your process, procedure and operating documents.

What is included in an asset management policy?

An asset management policy contains as a minimum:
Document Version Control
Document Contents Page
Purpose
Scope
Asset Management Policy
Principle
Inventory of Asset
Ownership of Assets
Acceptable use of assets
Return of Assets
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement

What is the purpose of the asset management policy?

The purpose of the asset management policy is the identification and management of assets.

What is the scope of the asset management policy?

The scope of the asset management policy is all company employees and external party users. The scope covers all company information and physical assets.

What is the principle behind the asset management policy?

The asset management principle is that company assets are known, identified and managed with appropriate protection in place.

How do you record and manage assets?

For recording and managing assets you need and Inventory of Assets. Information and information processing, storing and transmitting devices are identified and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name
• The asset owner
• The importance of the asset
• The classification of the asset
For physical assets additionally, at least the following is recorded
• Asset number
• Serial number
• Whether in use
• Last checked by and date
• What the asset does

Who owns assets and what are they responsible for?

Individuals, roles or teams are assigned ownership of assets.
Asset owners ensure assets are inventoried.
Asset owners ensure assets are appropriately classified and protected.
Asset owners ensure the proper handling when the asset is deleted or destroyed in line with the Information Classification and Handling Policy.
The asset owner may delegate routine tasks.

Is the asset management policy required for ISO 27001 certification?

Yes. The asset management policy is required for ISO 27001 certification.

Why IT asset management is important

IT asset management is important because you can control what you do not know. If we do not know what we have, how can we control it? Having an effective asset management life cycle that covers the asset from purchase to disposal with the appropriate IT technical controls on the asset will allow us secure our business and the information on which the business relies.

Why is an asset management policy important?

An asset management policy is important because it helps you to protect your assets from unauthorised access, use, disclosure, disruption, modification, or destruction. It also helps you to comply with relevant regulations and standards.

What are the key requirements of an ISO 27001 asset management policy?

The ISO 27001 asset management policy must be documented, approved, communicated and reviewed at least annually. It should cover the topics of the entire asset management lifecycle that includes the Identification and classification of assets and the entire process from acquisition to destruction.

What are the benefits of the ISO 27001 asset management policy?

The benefits of the ISO 27001 asset management policy include:
Reduced risk of data breaches and cyberattacks
Improved protection of intellectual property and other valuable assets
Enhanced compliance with regulations and standards
Increased visibility into and control over organizational assets
Improved decision-making

Who is responsible the ISO 27001 Asset management policy?

The head of IT is responsible for the ISO 27001 asset management policy.

Who is responsible for implementing the ISO 27001 Asset Management policy?

The IT department are responsible for implementing and managing the requirements of the ISO 27001 asset management policy.

How often is the ISO 27001 asset management policy reviewed?

The ISO 27001 asset management policy is reviewed after any significant change that affects the asset management lifecycle and at least annually.

Where can I get more information about the ISO 27001 asset management policy?

You can get more information and free resources including training and videos on the ISO 27001 asset management policy at the High Table website.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing