Asset Management Procedure

History Log

Version

Date

Author

1.1

1

st

November 2018

Information Dynamics

1.2

29

th

December 2019

Saravanan & Sureshkutty

1.3

24

th

December 2020

Saravanan & Sureshkutty

1.4

24

th

December 2021

Saravanan & Sureshkutty

Asset Management Procedure

Internal 2 of 5

1. Scope

The scope will be applicable to all activities under the scope statement of Information Dynamics.

ISO 27001:2013 Domain Reference: A.8: Asset Management

ISO 27001:2013 Reference

A.8.1.1

Inventory of Assets

A.8.1.2

Ownership of assets

A.8.1.3

Acceptable use of assets

A.8.1.4

Return of assets

A.8.2.2

Labeling of Information

A.8.3.2

Disposal of Media

2. Inputs

• Asset Register

• Asset List

3. Definitions

• Asset Owner: The owner of an asset

• Custodian: Person or Department responsible for the maintenance of the asset

• Labeling: Embossing the asset with identifications based on their Confidentiality, Integrity

and Availability aspect.

4. Asset Management Procedure

4.1. Identification and Inventory of Assets

• The identification of assets is done on the basis of labeling on assets by the

respective owners.

4.2. Asset Labeling

• The Asset List contains information, data and software assets.

• Assets are labeled according to their Confidentiality, Integrity and Availability

aspect Unclassified information is classified as Restricted by default.

• Hardware, physical assets including office equipments are labeled by

Administration department.

ID has identified seven Information Asset classes. These are:

• People

Asset Management Procedure

Internal 3 of 5

• Information

• Equipment

• Tools

• Environment

• Services

• Tools

• The asset register contains the following information about the asset, for easy

recovery:

• Information Asset class

• Type of asset;

• Location;

• Asset Owner and Custodian

• Department

The register is updated as and when a new asset is added to the Asset list maintained by

the departments.

4.3. Ownership of Assets

• The assets are allocated to varied individual/group/department and the

responsibility of the asset lies with its owner.

• The Asset Owner is responsible for the overall maintenance of the asset along

with the custodian.

• The labeling of the asset is done by the asset owner.

4.4. Operation of Assets

• The acceptable use of information assets & assets associated with information

processing facilities is as per the End user guideline.

4.5. Maintenance of Assets

• The Asset Register identifies different custodian for the assets. The responsibility

of the asset lies with the custodian. However the general maintenance is also

responsibility of the Asset Owner.

• The maintenance of the asset is done by the custodian as per the IT Infrastructure

Guideline and Administration Guideline, where IT Infrastructure Administration

and Administration are custodians respectively.

• Any incident causing a threat to the asset is reported by the Asset Owner as per

the Incident Management Procedure.

4.6. Disposal of Assets

• Retention time of the assets is defined by the respective asset owner.

Asset Management Procedure

Internal 4 of 5

• The Information and Data asset which includes hard copies is shredded before

disposal so as to avoid any leakage of information outside ID. Only confidential

information contained in hard copies is shredded.

• The hardware devices before disposal are devoid of any confidential or restricted

information as per the End User Guideline.

Asset disposal process shall follow the below steps:

Step1: All assets that needs to be disposed shall be identified by the information asset

owner. The asset shall be disposed based on the type of asset.

Step 2: Hard copy information assets shall be shredded whenever there is a requirement.

Also this activity will be done by collating all hard copy information and shredding the

same on one cycle.

Step 3: Hard disks shall be securely disposed through high level formatting, degaussing

techniques or physically damaging the devices

Step 4: Optical devices like CD/DVD shall be physical damaged.

Step 5: The asset disposal list shall be verified with the actual assets that have been

disposed. The same shall be signed off by the asset owner.

5. Associated Documentation

• Asset Disposal list Template

• Media Disposal form

6. Review

• The asset list is updated as and when a new asset is procured or developed by ID.

• The Asset Register and the Asset Lists is audited at the time of audits as per the

Information Security Audit Procedure.

7. Outputs

• Asset Register

• Information Asset list

• Inventory list

8. KPIs

KPIs

Frequency

Objective

Source

Target

Review of

Asset Sheet

Quarterly

Ensure information in the asset sheet

matches the assets being maintained by

the department

Information

Asset sheet

100%

Compliant