Asset Management Procedure
History Log
Version
Date
Author
1.1
1
st
November 2018
Information Dynamics
1.2
29
th
December 2019
Saravanan & Sureshkutty
1.3
24
th
December 2020
Saravanan & Sureshkutty
1.4
24
th
December 2021
Saravanan & Sureshkutty
Asset Management Procedure
Internal 2 of 5
1. Scope
The scope will be applicable to all activities under the scope statement of Information Dynamics.
ISO 27001:2013 Domain Reference: A.8: Asset Management
ISO 27001:2013 Reference
A.8.1.1
Inventory of Assets
A.8.1.2
Ownership of assets
A.8.1.3
Acceptable use of assets
A.8.1.4
Return of assets
A.8.2.2
Labeling of Information
A.8.3.2
Disposal of Media
2. Inputs
Asset Register
Asset List
3. Definitions
Asset Owner: The owner of an asset
Custodian: Person or Department responsible for the maintenance of the asset
Labeling: Embossing the asset with identifications based on their Confidentiality, Integrity
and Availability aspect.
4. Asset Management Procedure
4.1. Identification and Inventory of Assets
The identification of assets is done on the basis of labeling on assets by the
respective owners.
4.2. Asset Labeling
The Asset List contains information, data and software assets.
Assets are labeled according to their Confidentiality, Integrity and Availability
aspect Unclassified information is classified as Restricted by default.
Hardware, physical assets including office equipments are labeled by
Administration department.
ID has identified seven Information Asset classes. These are:
People
Asset Management Procedure
Internal 3 of 5
Information
Equipment
Tools
Environment
Services
Tools
The asset register contains the following information about the asset, for easy
recovery:
Information Asset class
Type of asset;
Location;
Asset Owner and Custodian
Department
The register is updated as and when a new asset is added to the Asset list maintained by
the departments.
4.3. Ownership of Assets
The assets are allocated to varied individual/group/department and the
responsibility of the asset lies with its owner.
The Asset Owner is responsible for the overall maintenance of the asset along
with the custodian.
The labeling of the asset is done by the asset owner.
4.4. Operation of Assets
The acceptable use of information assets & assets associated with information
processing facilities is as per the End user guideline.
4.5. Maintenance of Assets
The Asset Register identifies different custodian for the assets. The responsibility
of the asset lies with the custodian. However the general maintenance is also
responsibility of the Asset Owner.
The maintenance of the asset is done by the custodian as per the IT Infrastructure
Guideline and Administration Guideline, where IT Infrastructure Administration
and Administration are custodians respectively.
Any incident causing a threat to the asset is reported by the Asset Owner as per
the Incident Management Procedure.
4.6. Disposal of Assets
Retention time of the assets is defined by the respective asset owner.
Asset Management Procedure
Internal 4 of 5
The Information and Data asset which includes hard copies is shredded before
disposal so as to avoid any leakage of information outside ID. Only confidential
information contained in hard copies is shredded.
The hardware devices before disposal are devoid of any confidential or restricted
information as per the End User Guideline.
Asset disposal process shall follow the below steps:
Step1: All assets that needs to be disposed shall be identified by the information asset
owner. The asset shall be disposed based on the type of asset.
Step 2: Hard copy information assets shall be shredded whenever there is a requirement.
Also this activity will be done by collating all hard copy information and shredding the
same on one cycle.
Step 3: Hard disks shall be securely disposed through high level formatting, degaussing
techniques or physically damaging the devices
Step 4: Optical devices like CD/DVD shall be physical damaged.
Step 5: The asset disposal list shall be verified with the actual assets that have been
disposed. The same shall be signed off by the asset owner.
5. Associated Documentation
Asset Disposal list Template
Media Disposal form
6. Review
The asset list is updated as and when a new asset is procured or developed by ID.
The Asset Register and the Asset Lists is audited at the time of audits as per the
Information Security Audit Procedure.
7. Outputs
Asset Register
Information Asset list
Inventory list
8. KPIs
Frequency
Objective
Source
Target
Quarterly
Ensure information in the asset sheet
matches the assets being maintained by
the department
Information
Asset sheet
100%
Compliant