You cannot control what you do not know so the ISO 27001 physical asset register is the register of all things that store, transmit or process data. There are some key things to record about assets.
Think of it as a detailed list of all your company’s physical stuff. It’s a key part of keeping your business’s information safe and sound, especially if you’re aiming for an ISO 27001 certification.
Table of contents
- What Is It?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Physical Asset Register Template
- Why You Need It
- When You Need It
- Where You Need It
- How to Write It
- How to Implement It
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 Toolkit Can Help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Physical Asset Register FAQ
What Is It?
A Physical Asset Register is just a fancy name for an inventory of all your physical assets. We’re talking about things you can touch and see. This isn’t just a list, though; it’s a way to keep track of who uses what, where it’s located, and how important it is. It’s an essential document for showing you’re serious about protecting your assets.
Applicability to Small Businesses, Tech Startups, and AI Companies
This asset register is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: You might think you don’t need this, but you do. Even a handful of laptops and servers need to be tracked to ensure your customer data is safe.
- Tech Startups: You’re all about innovation, but don’t forget the basics. Laptops, servers, and even your fancy office security system are all physical assets that need to be accounted for.
- AI Companies: Your physical assets might include high-powered servers, specialized hardware for machine learning, and racks of data storage. Protecting these is crucial to your core business.
ISO 27001 Physical Asset Register Template
The ISO 27001:2022 Physical Asset Register Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why You Need It
Honestly, everyone! If you handle sensitive information, you need a way to protect the physical things that hold that information.
You need it to show you’re serious about information security. The ISO 27001 standard requires you to manage your assets to protect your information. This register is a big part of that. It helps you:
- Identify risks: If you know what you have, you can protect it better.
- Prevent theft: It’s tough to steal something that’s being tracked.
- Manage repairs and maintenance: You can easily see when a device needs an update or a check-up.
When You Need It
You need a physical asset register when you’re getting serious about your security. The best time to start is when you first get a piece of equipment, but if you haven’t started yet, there’s no time like the present! It’s a key part of your journey toward ISO 27001 certification.
Where You Need It
You need it for every physical item that helps your business run. This includes everything from laptops and mobile phones to servers, network routers, and even your office keys. If it holds or helps protect data, it should be in your register.
How to Write It
Writing one is easy! You can use a simple spreadsheet. Just be sure to include:
- Asset Name: Like “Dell XPS Laptop.”
- Asset ID: A unique number for each item.
- Location: Where it is right now (e.g., “Marketing Department,” or “Server Room”).
- Owner: The person responsible for the item.
- Description: What it is and what it’s used for.
- Importance Level: How critical is this asset to your business? (e.g., “High,” “Medium,” “Low”).
How to Implement It
Getting started is simple.
- Do an inventory: Walk around your office and list everything.
- Create your spreadsheet: Use the fields we mentioned above.
- Assign IDs: Put a unique sticker or tag on each item.
- Keep it updated: Every time you get a new piece of equipment, add it to the list.
Examples of using it for small businesses
You have 10 laptops and a small server. Your register would list each laptop with its user and a unique ID. It would also track your server and where it’s kept.
Examples of using it for tech startups
Your register includes all the laptops for your developers, a server rack in a co-location facility, and a biometric scanner for your office.
Examples of using it for AI companies
: You’d track your high-end graphics cards, specialised servers for AI models, and the network hardware that connects it all.
How the ISO 27001 Toolkit Can Help
Instead of starting from scratch, you can get a head start with an ISO 27001 toolkit. This includes pre-made templates for things like your physical asset register. They can save you tons of time and make sure you’ve got all the right fields and information to comply with the standard.
Information security standards that need it
This asst register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to a physical asset register. Some of the most important ones include:
- ISO 27001:2022 Annex A 5.9 Inventory Of Information And Other Associated Assets
- ISO 27001 Annex A 7.9: Security Of Assets Off-Premises
- ISO 27001:2022 Annex A 5.11 Return Of Assets
- ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets
ISO 27001 Physical Asset Register FAQ
An ISO 27001 physical asset register is used to record the physical devices that store, process or transmit data through and organisation. It records key control information. We cannot protect what we do not know about so we record all our devices.
For information security asset registers we are only interested in assets that process, store or transmit data. An accounting asset register is a register of all assets and by example would include screens, chairs, desks, computer mice.
A list of assets that process, store or transmit data as well as control information such as – who owns the asset, what it does, what data it processes, what classification it is, what criticality it is, physical characteristics, the date it was last reviewed and by who, the status of encryption and anti virus.
An ISO 27001 physical asset register template can be downloaded from High Table: The ISO 27001 Company.
In our experience a spreadsheet works best, so an ISO 27001 physical asset register xls
You’d mark it as “lost” in your register, note the date, and start a search.
It can be on paper, but a digital spreadsheet is way easier to manage and update.
This one is specifically focused on security and is required by the ISO 27001 standard.
Not usually, unless it holds a lot of sensitive information, like a secure filing cabinet.
That’s a different register. This one is just for physical stuff.
You should update it every time you add or remove an asset.
You still track it and note its location, like “Home Office” or “Remote.”
Yes, but it’s good to have a backup person who knows how it works.
You can group similar items together, like “Dell Laptops (x15),” but it’s better to list each one separately if you can.
A simple spreadsheet is fine, as long as it includes all the necessary information.
You still track it! Even old equipment can be a security risk.
You’d update the owner field and make sure the asset is returned.
No, it’s also just good business practice!
You would update the status in the register to “out of service” or “disposed of.”
You still need to track all the equipment you’ve given to your employees.