ISO27001 Annex A.8

ISO/IEC 27001 is an international standard that outlines the requirements for an information security management system (ISMS). One of the requirements of the standard is to manage assets in a way that ensures the confidentiality, integrity, and availability of the information processed, stored, and transmitted by those assets.

Meeting the asset management requirement of ISO/IEC 27001 involves several steps:

  1. Identify and document the assets in your organization that process, store, or transmit information. This includes both physical assets, such as computers and servers, as well as logical assets, such as software and databases.
  2. Assess the risks to each asset. This includes identifying potential threats and vulnerabilities and assessing the likelihood and impact of those threats and vulnerabilities.
  3. Implement controls to protect the assets. This could include technical controls, such as encryption and firewalls, as well as administrative controls, such as access controls and incident response plans.
  4. Monitor and review the controls. Regularly review the effectiveness of the controls and make any necessary adjustments. Also monitor the assets for any suspicious activity.
  5. Maintain records and document the process of asset management. This includes maintaining an inventory of assets, documenting the risks and controls, and keeping records of any incidents or security breaches.

Additionally, ensure that all the employees in the organization are aware of their roles and responsibilities in the process of asset management and that the process itself is included in the overall security management system of the organization.

It is highly recommended to have a professional assessor certify the organization according to the standard, that will check if all requirements are met, and provide a certificate, which will enhance the trust of the stakeholders.