ISMS Essentials: Quick Guide to the Information Asset Register
Without an Information Asset Register the chances of maintaining an Information Security Management System (ISMS) are slim. This short post looks at why an asset register is required, what should be in it and how it helps prioritise the information assets.
“Know your assets” to deliver an effective ISMS
A key finding of our “Design, Build and Maintain your ISMS” post, was that the prioritisation of information assets that are key to business is important to safeguard the information and data that truly matters.
Whether in strict compliance with ISO27001, or as a general approach to information security, a defined ISMS helps the organisation to better understand their assets, vulnerabilities and evolving risk.
However, the key to begin this process, is to identify and record the information assets first. Whilst this may sound obvious to some, asset identification and ownership can be surprisingly difficult to achieve and can appear daunting.
ISMS Essential Knowledge: What is an Information Asset Register?
An information asset register is used to record and manage information assets. It will enable the identification and management of the risk posed to them. It will also inform the implementation of any controls used to mitigate the vulnerabilities.
If the organisation (particularly the security team) does not fully understand the types of information it holds, as well as the purpose for which it is held, then it will be difficult to protect it from external attack or internally generated compromise. It will also be difficult for the business to fully exploit the same asset.
The importance information asset monitoring is covered in this paper:
Is an ISMS possible without an Information Asset Register?
If pursuing ISO 27001 compliance with the design work and audit that this requires, then the answer is no. Even for those who are not pursuing compliance, it would likely be too complex to try to achieve information security without a register than with one.
Establishing an asset register and agreeing the assets that feature in it can be a rewarding experience. Not only will it assist with risk management and reduction but it also provides opportunity for efficiency and productivity improvement to make life easier for operational personnel.
Particularly for larger organisations, there is a strong likelihood that different departments are unecessarily duplicating records for very similar purposes. You might also find legitimate assets hidden within other assets. The potential reduction in duplication is something to be welcomed, especially if it also simplifies risk management and strengthens the security effort.
This is particularly important given the developments regarding personal data due to regulation such as EU GDPR.
ISMS Design Phase: Creating the Information Asset Register
Be aware that the likelihood of a register being accurate and completed by the first draft is very low. Concentrate on drafting a workable asset register that can be subsequently maintained.
A “starter for 10” is to check if a register (or even registers!) already exist. Don’t discount them just because they are old. If the organisation still undertakes the same core purpose then old registers are likely to have relevance even where any technology has long since moved on or been updated.
The information security team should try to compile an asset list for themselves without commissioning a project or an onerous schedule of work. Consider (and record) how the business, departments and personnel get work done and the information they need in order to do so.
Creating the Asset Register – Pitfalls and problems
You will need to be careful not to discourage the involvement of others but prepare for stakeholders to assume that a database is an information asset. Be ready to explain how the database is just a means by which information assets are created, hosted and accessed. This is the same for computer file shares, shared email mailboxes, and all those paper records held within offices that are easily forgotten.
Another common mistake is where a control or line of defence such as a firewall, anti-malware system or a security initiative such as a DMARC implementation is considered for inclusion. Whereas defences undoubtedly have value, their role is to protect information assets and help control risk. You should be in a position where you are able to tolerate the attack or even loss of security defences if it means of information assets and sensitive data.
Something else to consider is where a single information asset straddles numerous formats and locations, or where different assets are faced with very similar risks and share controls. The ISMS team can legitimately consider whether to subdivide information assets or group them together due to their similarity and risk. This can save time. The important thing is to group assets because of business need and not because of technology. The reasoning here is that whilst technology frequently changes, “business needs” rarely do.
Questions to identify “key” ISMS assets
To help identify assets and consider their criticality to business, ask these questions:
- Does the information asset have value and a lifecycle?
- Could the relevant department/organisation function without the asset?
- How long could the department/organisation function with only partial access to the asset?
- Who else would be affected should the asset be lost/compromised? E.g. Customers, partner organisations, suppliers etc.
- Is there a regulatory requirement regarding the asset? E.g. EU GDPR
- Is there a sensitivity classification applied to the asset? E.g. UK HMG GSC
Questions such as these ultimately determine how “key” your asset is to the organisation. Answering these questions effectively means that you are prioritising the assets in order to work out which ones need protecting most.
Information Asset Register key values
As ISO 27001 has developed over the years is has become less proscriptive about the information risk methodology that can be employed. This has extended to the contents of the asset register however, there are some best practice values that should be included:
- Name: A simple and clear label – bear in mind this label might exist across any number of documents in a large ISMS.
- Description: Consider what the asset actually does and how it enables business.
- Location: Where is it stored, hosted and maintained?
- Owner: Who, at a senior level in the business, most benefits from the asset?
- Users: The business units and personnel who use the asset.
- Classification & Caveat: Official, Official-Sensitive, Secret, Top Secret etc.
- Size: Number of records, data subjects, case files etc.
- Personal data: Yes or No.
- Format: Database records, spreadsheets, word documents, paper files etc.
- Risks: Considerations of the loss of Confidentiality, Integrity or Availability of the asset.
- Key Asset: Yes or No
Should there be any values, columns (in the inevitable spreadsheet!) or additional information you want to add then do so. You need to compile something that another person could readily understand, inherit and update in the future. Thinking about recent data protection regulation change, registers could also record where assets are routinely shared or transferred to other organisations and data processors. If this is the case it could also be recorded as it will influence the risk assessment.
The ISMS – It’s all about managing Information Risk
Our “ISMS Design, Build and Maintain” post looked at how important maintenance is. Maintaining the asset register as threat, risk and occasionally even information purpose evolves is part of this work. If you think that the “information purpose” for an information asset is changing, particularly for personal data, you need to consult your Data Protection Officer (DPO). The DPO will consider if there are any problems of data being collected for one purpose, potentially being used for another. In the UK the website of the Information Commissioner’s Officer provides data protection advice.
To successfully manage risk, you will need to engage and inform the business stakeholder who understands what the business needs from the information asset. It is for them to confirm to you if it continues to fulfil the necessary function. This person is the Information Asset Owner (IAO) and is likely to be associated with a particular operational position. IAO is a term worth adopting if you haven’t already.
The IAO should be able to tell you [in broad terms] who legitimately accesses the asset, why they have access and for what purpose the asset is required.
It is through effective information asset management as well as engagement with key roles such as the IAO, CISO and SIRO that the wider organisation will buy into the purpose of an effective ISMS and will continue to benefit from it.