ISMS

November 22, 2017

Without an Information Asset Register the chances of maintaining an Information Security Management System (ISMS) are slim.  This short post looks at why an asset register is required, what should be in it and how it helps prioritise the information assets.

“Know your assets” to deliver an effective ISMS

A key finding of our “Design, Build and Maintain your ISMS” post, was that the prioritisation of information assets that are key to business is important to safeguard the information and data that truly matters.

Whether in strict compliance with ISO27001, or as a general approach to information security, a defined ISMS helps the organisation to better understand their assets, vulnerabilities and evolving risk.

However, the key to begin this process, is to identify and record the information assets first. Whilst this may sound obvious to some, asset identification and ownership can be surprisingly difficult to achieve and can appear daunting.

Without an ISMS and register you will gamble away your assets

ISMS Essential Knowledge: What is an Information Asset Register?

An information asset register is used to record and manage information assets. It will enable the identification and management of the risk posed to them.  It will also inform the implementation of any controls used to mitigate the vulnerabilities.

If the organisation (particularly the security team) does not fully understand the types of information it holds, as well as the purpose for which it is held, then it will be difficult to protect it from external attack or internally generated compromise. It will also be difficult for the business to fully exploit the same asset.

The importance of information asset monitoring is covered in this paper:

Use these benefits of ISMS monitoring in your business case

Is an ISMS possible without an Information Asset Register?

If pursuing ISO 27001 compliance with the design work and audit that this requires, then the answer is no. Even for those who are not pursuing compliance, it would likely be too complex to try to achieve information security without a register than with one.

Establishing an asset register and agreeing the assets that feature in it can be a rewarding experience. Not only will it assist with risk management and reduction but it also provides opportunity for efficiency and productivity improvement to make life easier for operational personnel.

A good ISMS will identify where departments have created duplicate assets

Particularly for larger organisations, there is a strong likelihood that different departments are unecessarily duplicating records for very similar purposes. You might also find legitimate assets hidden within other assets. The potential reduction in duplication is something to be welcomed, especially if it also simplifies risk management and strengthens the security effort.

This is particularly important given the developments regarding personal data due to regulation such as EU GDPR.

Explore Next Gen SIEM

ISMS Design Phase: Creating the Information Asset Register

Be aware that the likelihood of a register being accurate and completed by the first draft is very low. Concentrate on drafting a workable asset register that can be subsequently maintained.

A “starter for 10” is to check if a register (or even registers!) already exist. Don’t discount them just because they are old. If the organisation still undertakes the same core purpose then old registers are likely to have relevance even where any technology has long since moved on or been updated.

The information security team should try to compile an asset list for themselves without commissioning a project or an onerous schedule of work. Consider (and record) how the business, departments and personnel get work done and the information they need in order to do so.

Creating the Asset Register – Pitfalls and problems

You will need to be careful not to discourage the involvement of others but prepare for stakeholders to assume that a database is an information asset. Be ready to explain how the database is just a means by which information assets are created, hosted and accessed.  This is the same for computer file shares, shared email mailboxes, and all those paper records held within offices that are easily forgotten.

ISMS pitfalls, problems and light bulb moments

Another common mistake is where a control or line of defence such as a firewall, anti-malware system or a security initiative such as a DMARC implementation is considered for inclusion. Whereas defences undoubtedly have value, their role is to protect information assets and help control risk. You should be in a position where you are able to tolerate the attack or even loss of security defences if it means of information assets and sensitive data.

Something else to consider is where a single information asset straddles numerous formats and locations, or where different assets are faced with very similar risks and share controls. The ISMS team can legitimately consider whether to subdivide information assets or group them together due to their similarity and risk. This can save time. The important thing is to group assets because of business need and not because of technology. The reasoning here is that whilst technology frequently changes, “business needs” rarely do.

Questions to identify “key” ISMS assets

To help identify assets and consider their criticality to business, ask these questions:

  • Does the information asset have value and a lifecycle?
  • Could the relevant department/organisation function without the asset?
  • How long could the department/organisation function with only partial access to the asset?
  • Who else would be affected should the asset be lost/compromised? E.g. Customers, partner organisations, suppliers etc.
  • Is there a regulatory requirement regarding the asset? E.g. EU GDPR
  • Is there a sensitivity classification applied to the asset? E.g. UK HMG GSC

Questions such as these ultimately determine how “key” your asset is to the organisation. Answering these questions effectively means that you are prioritising the assets in order to work out which ones need protecting most.

The ISMS protects things we can least afford to lose

Information Asset Register key values

As ISO 27001 has developed over the years is has become less prescriptive about the information risk methodology that can be employed. This has extended to the contents of the asset register however, there are some best practice values that should be included:

  • Name: A simple and clear label – bear in mind this label might exist across any number of documents in a large ISMS.
  • Description: Consider what the asset actually does and how it enables business.
  • Location: Where is it stored, hosted and maintained?
  • Owner: Who, at a senior level in the business, most benefits from the asset?
  • Users: The business units and personnel who use the asset.
  • Classification & Caveat: Official, Official-Sensitive, Secret, Top Secret etc.
  • Size: Number of records, data subjects, case files etc.
  • Personal data: Yes or No.
  • Format: Database records, spreadsheets, word documents, paper files etc.
  • Risks: Considerations of the loss of Confidentiality, Integrity or Availability of the asset.
  • Key Asset: Yes or No

Should there be any values, columns (in the inevitable spreadsheet!) or additional information you want to add then do so. You need to compile something that another person could readily understand, inherit and update in the future. Thinking about recent data protection regulation change, registers could also record where assets are routinely shared or transferred to other organisations and data processors. If this is the case it could also be recorded as it will influence the risk assessment.

The ISMS – It’s all about managing Information Risk

Our “ISMS Design, Build and Maintain” post looked at how important maintenance is. Maintaining the asset register as threat, risk and occasionally even information purpose evolves is part of this work. If you think that the “information purpose” for an information asset is changing, particularly for personal data, you need to consult your Data Protection Officer (DPO). The DPO will consider if there are any problems of data being collected for one purpose, potentially being used for another. In the UK the website of the Information Commissioner’s Officer provides data protection advice.

The ISMS is all about managing risk and avoiding disaster

To successfully manage risk, you will need to engage and inform the business stakeholder who understands what the business needs from the information asset. It is for them to confirm to you if it continues to fulfil the necessary function. This person is the Information Asset Owner (IAO) and is likely to be associated with a particular operational position.  IAO is a term worth adopting if you haven’t already.

The IAO should be able to tell you [in broad terms] who legitimately accesses the asset, why they have access and for what purpose the asset is required.

It is through effective information asset management as well as engagement with key roles such as the IAO, CISO and SIRO that the wider organisation will buy into the purpose of an effective ISMS and will continue to benefit from it.

Download Next Gen SIEM Brochure

BLOG POSTS

Related Cybersecurity Content

Joint Advisories keep coming: Heads in the clouds

April 10, 2024

As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure...

Read more

Operational Resilience – Your obligations and FCA PS21/3

March 18, 2024

Operational resilience requirements are being rolled out across the UK and beyond. UK finance firms are required to improve their operational resilience in accordance with Financial Conduct Authority (FCA) Policy Statement PS21/3 (the Policy).

Read more

Getting value from your cyber investments

February 5, 2024

A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.

Read more

Agency resilience, compliance & reputation: a cyber governance perspective

January 31, 2024

The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.

Read more

How to improve access to cyber insurance & re-insurance

October 13, 2023

As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.

Read more

A tale of two conferences

October 6, 2023

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]

Read more

2022’s least wanted: Rockstar vulnerabilities that should be has-beens

September 28, 2023

In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]

Read more

Active management for operational and cyber resilience

September 27, 2023

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]

Read more

Applying an Australian regulator’s cyber audit findings, in a UK context

September 26, 2023

The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]

Read more

Cyber Gap Measurement & Evidence – The New Standard of Quantifiable Internal Assessment

September 18, 2023

<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]

Read more

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.

Marketing(Required)
Agree(Required)