This guide will help you understand what assets are, which categories of assets you should consider, and how to document them on Secfix to fulfil ISO 27001 requirements.
What is an Asset in the Context of ISO 27001?
In the context of ISO 27001, an asset is anything that is valuable to the organization and may be critical for maintaining its business operations and delivering products/services. This can range from tangible items such as hardware to intangible items like brand reputation or intellectual property. In terms of ISO 27001, each asset should contain at least the following information:
Name
Owner
Description
Which Assets are Relevant for ISO 27001?
Secfix has divided the inventory into three sections: Automated assets (Employee Computers, Employees, Cloud Assets), Information assets, Custom assets.
Automated assets
These asset categories are automatically fetched with the help of Secfix automation:
Employee computers are automatically populated from your computers' page after each employee has installed the Secfix agent.
Employees are automatically populated from your identity provider (e.g., Google Workspaces or Office365).
Cloud assets are automatically populated from your cloud infrastructure provider (e.g., AWS, Azure, or GCP).
Example of how to document automated assets:
Employee Computers:
Employees:
Cloud assets:
Information assets
Information assets are data or pieces of information that hold value for an organization, such as customer records, financial documents, or proprietary research. They can exist in various forms, including digital files, printed documents, or knowledge held by employees.
To document them properly, you can make use of the following structure:
Information Assets template can be found in the Google/OneDrive folder your CSM shared with you.
Asset Category | Asset Name | Description |
Information assets | Customer data | Data stored by <Company Name> customers |
Information assets | User and organization information | User information of <Company Name> employees and customers |
Information assets | Intellectual property | Source code and company intellectual property |
Information assets | Task management system | Task management system utilized to centrally track, maintain, and manage internal requests (e.g., access requests) and change management activities |
Information asset | Legal documents | Customer Contracts, Vendor Contracts, Invoices, Personnel Contracts, etc. |
Information asset | Access credentials | User names, passwords, tokens, certificates |
Information assets | Printed documents | Archive documents, Personnel Files, disaster recovery documents, embezzlement forms, customer contracts, etc. |
Information assets | Company policies and procedures | Documents that detail the operations of the organization and its systems |
Information assets | Processes | Processes in the organisation that contain information that must not be compromised or changed, or processes whose continuity is important for the business objectives and reputation of the organisation (e.g. ISMS process, HR process, R&D process, Legal process, Software Development process, etc.). |
Example of how to document information assets:
Custom assets
Custom assets refer to specific valuable components tailored to an organization's operations, encompassing elements like databases, cloud infrastructure, data centers, and various software or hardware items. These assets can range from customer-facing applications and internal business tools to licenses and mobile devices crucial for daily operations.
To document them properly, you can make use of the following structure:
Please adapt it to your company as you see fit.
Asset Category | Tag | Description |
Custom assets | Databases | <SQL, Epic, mongodb> |
Custom assets | Cloud infrastructure | <AWS, OTC, Azure, GCP, etc.> |
Custom assets | Data centers | <add your data center name here> |
Custom assets | Network devices | Network components and security systems such as switch, modem, firewall, access points, router, printers etc. |
Custom assets | Customer-facing applications | Applications used for customers to access <Company Name>βs service |
Custom assets | Internal business applications | All software and application used in <Company Name> |
Custom assets | Licences | Google Workspaces, Office365 licences, antivirus software licences, other licence-requiring applications, etc. |
Custom assets | Mobile devices | Mobile devices |
Example of how to document custom assets:
Managing assets efficiently is a cornerstone of a successful ISMS. Ensuring you've properly identified and added all pertinent assets to your Secfix inventory is a proactive step in achieving ISO 27001 alignment. Should you need further assistance, do not hesitate to contact our support team on the chat inside the app for more detailed guidance.