The ISO 27001 Asset Management Policy sets out the guidelines and framework for how identify, protect and manage assets. It covers the entire lifecycle from acquiring the asset, using the asset to ultimately destroying the asst. It ensures the correct assets are identified and protected. We cannot protect what we do not know.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Asset Management Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Asset Management Policy Example
- ISO 27001 Asset Management Policy FAQ
What is it?
Think of an ISO 27001 Asset Management Policy as a rulebook for all your company’s valuable stuff. This isn’t just about computers and desks; it’s about anything that has value to your business. This includes your customer data, software, intellectual property, and even the skills of your employees. The policy helps you keep track of these assets, protect them from harm, and ensure you know who’s responsible for what. It’s a key part of the ISO 27001 information security standard, which is all about keeping your sensitive information safe.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is perfect for any size company that handles data. Here’s how it applies:
- For small businesses: You might think a policy like this is only for big corporations, but it’s super important for you too! It helps you protect your most critical information, like customer lists or financial records, without needing a huge budget. It’s about being smart and organised from the start.
- For tech startups: You’re all about innovation, and your code and intellectual property are your lifeblood. This policy helps you protect those unique assets, giving you a competitive edge and building trust with investors and customers.
- For AI companies: Your models, training data, and algorithms are incredibly valuable. An asset management policy is crucial for safeguarding these unique assets, especially since the data you use is often sensitive and subject to strict privacy rules.
ISO 27001 Asset Management Policy Template
The ISO 27001:2022 Asset Management Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need this policy to protect your business. It helps you:
- Prevent data breaches and other security incidents.
- Show customers and partners that you’re serious about security.
- Meet legal and regulatory requirements, like GDPR.
- Improve your organisation’s efficiency by knowing exactly what you have and where it is.
- Reduce risk and avoid costly mistakes.
When you need it
You need an Asset Management Policy as early as possible. The best time is when you’re first setting up your information security management system (ISMS) for ISO 27001. Don’t wait until something bad happens. Having the policy in place from the start makes everything else much easier.
Who needs it?
Everyone in your organisation needs to be aware of this policy. While a specific person, like the IT manager or the Chief Information Security Officer (CISO), might be responsible for writing and maintaining it, every employee has a part to play. They need to understand what an asset is and how to protect it, whether it’s their company laptop or a piece of sensitive data.
Where you need it
You need this policy everywhere your business operates. This means it applies to:
- Your office spaces.
- Employees working from home.
- Data stored in the cloud.
- Any physical hardware, like servers or laptops.
- Your software and digital data, no matter where it’s located.
How to write it
- Define what an “asset” is for your company. Be specific! This could be a server, a database, or even a patent.
- Assign ownership. For each asset, decide who is responsible for it. This makes accountability clear.
- Establish a classification scheme. Not all assets are equally important. You might classify some as “public,” “internal,” or “confidential.”
- Describe how to handle each type of asset. For example, you might say that “confidential” data must be encrypted.
- Explain the lifecycle of an asset. What happens when you get a new computer? What about when you get rid of an old one?
- Get it approved. Have a senior leader in your company review and approve the policy.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Asset Management Policy
- Write the ISO 27001 Asset Management Policy Contents Page
The contents of the risk management policy should include:
Document Version Control
Document Contents Page
Purpose
Scope
Asset Management Policy
Principle
Inventory of Asset
Ownership of Assets
Acceptable use of assets
Return of Assets
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement - Write the ISO 27001 Asset Management Policy Purpose
The purpose of this policy is the identification and management of assets.
- Write the ISO 27001 Asset Management Policy Scope
All employees and third-party users.
All company information and physical assets. - Write the ISO 27001 Asset Management Policy Principle
Company assets are known, identified, and managed with appropriate protection in place.
- Describe the Inventory of Physical and Virtual Assets
Information and information processing, storing, and transmitting devices, both physical and virtual, are identified and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name.
• The asset owner
• The importance of the asset
• The classification of the asset
For physical assets additionally, at least the following is recorded
• Asset number
• Serial number
• Whether in use
• Last checked by and date
• What the asset does
• A description of the information process, stored or transmitted - Describe the Inventory of Data Assets
Data and information assets are identified, and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name.
• The asset owner
• The importance of the asset
• The classification of the asset
For data and information assets additionally, the following may be recorded
• Business Function using the asset
• Where the information is / the name of the application processing it
• Why we have the information
• Name of the controller
• Categories of data subjects
• How long we keep information / data retention
• Data Classification
• Categories of personal data
• Categories of recipients
• If international transfers take place and additional security measures
• Description of technical and organisational controls
• Lawful basis for processing
• Volume of data
• Risks to Data Subjects
• Risk Rating
• Actions to reduce or mitigate risks
• Date Last assessed
• Date of next assessment - Define the Inventory of Software Licence Assets
Software and software licenses are identified, and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name
• The asset version
• The asset owner
• Whether free or paid
• Number of licenses purchased
• Number of licenses used
• Location of the actual licenses
• Where the software is deployed
• Date Last assessed
• Date of next assessment - Set out the ownership of assets
Individuals, roles, or teams are assigned ownership of assets
Asset owners ensure assets are inventoried
Asset owners ensure assets are appropriately classified and protected
Asset owners ensure the proper handling when the asset is deleted or destroyed in line with the Information Classification and Handling Policy.
The asset owner may delegate routine tasks - Define the acceptable use of assets
Acceptable use of assets is in line with the Acceptable Use Policy.
- Set out your approach to the return of assets
All employees and external party users return all organisational assets in their possession upon termination of their employment, contract, or agreement.
Where an employee or external party users purchases organisation equipment or uses their own personal equipment procedures are in place to ensure all relevant information is transferred to the organisation and securely erased from the equipment.
During notice periods of termination, the company controls unauthorised copying of company information by terminated employees or external party users.
How to implement it
- Communicate the policy clearly. Don’t just email it out and expect everyone to read it. Hold a meeting or a training session.
- Train your employees. Explain why the policy is important and how their actions impact security.
- Enforce it. Make sure people are following the rules and that there are consequences for not doing so.
- Review and update it regularly. Your business changes, so your policy should too. Check it at least once a year.
Examples of using it for small businesses
- You might classify your customer list as a “confidential” asset. The policy would then state that this list can’t be shared outside the company without a specific approval.
- You create a simple process for onboarding a new employee that includes issuing them a laptop and software. The policy ensures this is done securely and that all assets are tracked.
Examples of using it for tech startups
- Your source code is a “top secret” asset. The policy dictates that all code must be stored in an encrypted repository with limited access.
- When a developer leaves, the policy guides the process for revoking their access to all systems and accounts to protect your intellectual property.
Examples of using it for AI companies
- Your training dataset is a “highly confidential” asset. The policy ensures this data is anonymised and encrypted, and that only authorised data scientists can access it.
- The policy specifies that any AI models you develop are to be backed up regularly to prevent data loss and ensure business continuity.
How the ISO 27001 toolkit can help
The ISO 27001 toolkit is a collection of pre-written documents, policies, and templates. It’s like having a security expert guide you through the process. The toolkit provides you with a ready-made Asset Management Policy that you can easily adapt to your company, saving you a ton of time and effort.
Information security standards that need it
This asset management policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001 standard has specific controls that relate to asset management. Here are a few key ones:
- ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets
- ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets
- ISO 27001:2022 Annex A 5.11 Return of assets
- ISO 27001:2022 Annex A 7.9 Security of assets off-premises
ISO 27001 Asset Management Policy Example
If you want to have a look at an example ISO 27001 asset management policy PDF click the link. It is redacted in places but gives you a good idea of what good looks like.
Here is an extract.
ISO 27001 Asset Management Policy FAQ
The ISO 27001 asset management policy template can be found at High Table. It covers the requirements of ISO 27001 and other standards and is an important document for knowing what to protect as well as controlling assets.
An asset management policy is a document that lays out what you do for the management of physical and data assets. It is a statement of what you do not how you do it. How you do it is located in your process, procedure and operating documents.
An asset management policy contains as a minimum:
Document Version Control
Document Contents Page
Purpose
Scope
Asset Management Policy
Principle
Inventory of Asset
Ownership of Assets
Acceptable use of assets
Return of Assets
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
The purpose of the asset management policy is the identification and management of assets.
The scope of the asset management policy is all company employees and external party users. The scope covers all company information and physical assets.
The asset management principle is that company assets are known, identified and managed with appropriate protection in place.
For recording and managing assets you need and Inventory of Assets. Information and information processing, storing and transmitting devices are identified and an inventory of these assets is drawn up and maintained.
For each asset, at least the following, is recorded
• The asset name
• The asset owner
• The importance of the asset
• The classification of the asset
For physical assets additionally, at least the following is recorded
• Asset number
• Serial number
• Whether in use
• Last checked by and date
• What the asset does
Individuals, roles or teams are assigned ownership of assets.
Asset owners ensure assets are inventoried.
Asset owners ensure assets are appropriately classified and protected.
Asset owners ensure the proper handling when the asset is deleted or destroyed in line with the Information Classification and Handling Policy.
The asset owner may delegate routine tasks.
Yes. The asset management policy is required for ISO 27001 certification.
IT asset management is important because you can control what you do not know. If we do not know what we have, how can we control it? Having an effective asset management life cycle that covers the asset from purchase to disposal with the appropriate IT technical controls on the asset will allow us secure our business and the information on which the business relies.
An asset management policy is important because it helps you to protect your assets from unauthorised access, use, disclosure, disruption, modification, or destruction. It also helps you to comply with relevant regulations and standards.
The ISO 27001 asset management policy must be documented, approved, communicated and reviewed at least annually. It should cover the topics of the entire asset management lifecycle that includes the Identification and classification of assets and the entire process from acquisition to destruction.
The benefits of the ISO 27001 asset management policy include:
Reduced risk of data breaches and cyberattacks
Improved protection of intellectual property and other valuable assets
Enhanced compliance with regulations and standards
Increased visibility into and control over organisational assets
Improved decision-making
The head of IT is responsible for the ISO 27001 asset management policy.
The IT department are responsible for implementing and managing the requirements of the ISO 27001 asset management policy.
The ISO 27001 asset management policy is reviewed after any significant change that affects the asset management lifecycle and at least annually.
You can get more information and free resources including training and videos on the ISO 27001 asset management policy at the High Table website.
No, it covers everything of value, from data to buildings.
Yes, it helps protect your most important information and builds trust with clients.
An asset is something of value you own or control, while a resource can be a tool or person used to achieve a task.
The policy should have a plan for what to do in that situation, like reporting it right away.
Not making it accessible or easy to understand for everyone.
No, but you might want to consult with a security expert.
No, it also helps protect against accidents, like an employee accidentally deleting a file.
The person who is accountable for a specific asset’s protection and use.
It ensures that devices and data used by remote employees are just as secure as those in the office.
No, it should make things more efficient by creating clear rules and processes.
A senior IT manager or even the founder can take on the role of overseeing the policy.
Absolutely, it’s a key part of demonstrating that you’re protecting sensitive data.
