Asset Management Procedure
Asset Management Procedure
Internal 2 of 5
1. Scope
The scope will be applicable to all activities under scope statement of Information Dynamics.
ISO 27001:2013 Domain Reference: A.8: Management
2. Inputs
• Asset Register
• Asset List
3. Definitions
• Asset Owner: The owner of an asset
• Custodian: Person or responsible for the maintenance of asset
• Labeling: Embossing the asset with identifications based on their Confidentiality, Integrity and Availability aspect.
4. Asset Management Procedure
4.1. Inventory of Assets
• The identification of assets is done on the basis of labeling on assets by the respective owners.
4.2. Asset Labeling
• The Asset List contains information, data and software assets.
• Assets are labeled according to their Confidentiality, Integrity and Availability Unclassified information is classified as Restricted by default.
• Hardware, physical assets including office equipments are labeled by Administration department.
ID has identified seven Information Asset classes. These are:
• People
• Information
Asset Management Procedure
Internal 3 of 5
• Equipment
• Tools
• Environment
• Services
• Tools
• The asset register contains the following information about the asset, for easy recovery:
• Information class
• Type asset;
• Location;
• Asset Owner Custodian
• Department
The register is updated as and when a new asset is added to the Asset list maintained by the departments.
4.3. Ownership of Assets
• The assets are allocated to varied individual/group/department and the responsibility of the asset lies with its owner.
• The Asset Owner is responsible for the overall maintenance of the asset along with the custodian.
• The labeling of the asset is done by the owner.
4.4. Operation of Assets
• The acceptable use of information assets & assets associated with information processing facilities is as per the End user guideline.
4.5. Maintenance Assets
• The Asset Register identifies different custodian for the assets. The responsibility of the asset lies with the custodian. However the general maintenance is also responsibility of the Asset Owner.
• The maintenance of the asset is done by the custodian as per the IT Infrastructure Guideline and Administration Guideline, where IT Infrastructure Administration Administration are custodians respectively.
• Any incident causing a threat to the asset is reported by the Asset Owner as per the Incident Procedure.
4.6. Disposal of Assets
• Retention time of assets is defined by the respective asset owner.
Asset Management Procedure
Internal 4 of 5
• The Information and Data asset which includes hard copies is shredded before disposal so as to avoid any leakage of information outside ID. Only confidential information contained in hard copies is shredded.
• The hardware devices before disposal are devoid of any confidential or restricted information per the User Guideline.
Asset disposal process shall follow the below steps:
Step1: All assets that needs to be disposed shall be the information asset owner. The asset shall be disposed based on the type of asset.
Step 2: copy assets shall be shredded whenever there is a requirement. Also this activity will be done by collating hard copy and shredding the same on one cycle.
Step 3: Hard disks shall be securely disposed through high level formatting, degaussing techniques or physically damaging the devices
Step 4: Optical devices like CD/DVD shall be physical damaged.
Step 5: The asset disposal list be verified with the actual assets that have been disposed. same shall signed off by asset owner.
5. Associated Documentation
• Asset Disposal list Template
• Disposal form
6. Review
• The asset is updated as and when a new asset procured or developed by ID.
• The Asset Register and the Asset Lists is audited at the time of audits as per the Security Audit Procedure.
7. Outputs
• Asset Register
• Information Asset list
• Inventory list
8. KPIs
Ensure information in the asset sheet matches the assets maintained by the department
