History Log | ||
Version | Date | Author |
1.1 | 1st November 2018 | Information Dynamics |
1.2 | 29th December 2019 | Saravanan & Sureshkutty |
1.3 | 24th December 2020 | Saravanan & Sureshkutty |
1.4 | 24th December 2021 | Saravanan & Sureshkutty |
1.5 | 24th December 2022 | Saravanan & Sureshkutty |
The scope will be applicable to all activities under the scope statement of Information Dynamics.
ISO 27001:2013 Domain Reference: A.8: Asset Management
ISO 27001:2013 Reference | |
A.8.1.1 | Inventory of Assets |
A.8.1.2 | Ownership of assets |
A.8.1.3 | Acceptable use of assets |
A.8.1.4 | Return of assets |
A.8.2.2 | Labeling of Information |
A.8.3.2 | Disposal of Media |
Asset Register
Asset List
Asset Owner: The owner of an asset
Custodian: Person or Department responsible for the maintenance of the asset
Labeling: Embossing the asset with identifications based on their Confidentiality, Integrity and Availability aspect.
The identification of assets is done on the basis of labeling on assets by the respective owners.
The Asset List contains information, data and software assets.
Assets are labeled according to their Confidentiality, Integrity and Availability aspect Unclassified information is classified as Restricted by default.
Hardware, physical assets including office equipments are labeled by Administration department.
ID has identified seven Information Asset classes. These are:
People
Information
Equipment
Tools
Environment
Services
Tools
The asset register contains the following information about the asset, for easy recovery:
Information Asset class
Type of asset;
Location;
Asset Owner and Custodian
Department
The register is updated as and when a new asset is added to the Asset list maintained by the departments.
The assets are allocated to varied individual/group/department and the responsibility of the asset lies with its owner.
The Asset Owner is responsible for the overall maintenance of the asset along with the custodian.
The labeling of the asset is done by the asset owner.
The acceptable use of information assets & assets associated with information processing facilities is as per the End user guideline.
The Asset Register identifies different custodian for the assets. The responsibility of the asset lies with the custodian. However the general maintenance is also responsibility of the Asset Owner.
The maintenance of the asset is done by the custodian as per the IT Infrastructure Guideline and Administration Guideline, where IT Infrastructure Administration and Administration are custodians respectively.
Any incident causing a threat to the asset is reported by the Asset Owner as per the Incident Management Procedure.
Retention time of the assets is defined by the respective asset owner.
The Information and Data asset which includes hard copies is shredded before disposal so as to avoid any leakage of information outside ID. Only confidential information contained in hard copies is shredded.
The hardware devices before disposal are devoid of any confidential or restricted information as per the End User Guideline.
Asset disposal process shall follow the below steps:
Step1: All assets that needs to be disposed shall be identified by the information asset owner. The asset shall be disposed based on the type of asset.
Step 2: Hard copy information assets shall be shredded whenever there is a requirement. Also this activity will be done by collating all hard copy information and shredding the same on one cycle.
Step 3: Hard disks shall be securely disposed through high level formatting, degaussing techniques or physically damaging the devices
Step 4: Optical devices like CD/DVD shall be physical damaged.
Step 5: The asset disposal list shall be verified with the actual assets that have been disposed. The same shall be signed off by the asset owner.
Asset Disposal list Template
Media Disposal form
The asset list is updated as and when a new asset is procured or developed by ID.
The Asset Register and the Asset Lists is audited at the time of audits as per the Information Security Audit Procedure.
Asset Register
Information Asset list
Inventory list
KPIs | Frequency | Objective | Source | Target |
Review of Asset Sheet | Quarterly | Ensure information in the asset sheet matches the assets being maintained by the department | Information Asset sheet | 100% Compliant |