Defining your ISO 27001 information assets

Learn how to define your ISO 27001 information assets and build an asset register for successful certification.

You might think of an ā€œinformation assetā€ as information that is an asset to your organisation. You would be right, but in the context of ISO 27001 information assets also include assets associated with the information, as well as information processing facilities.

In plain English, this means all your hardware, software, devices (desktops, laptops, smartphones, tablets), offices and the people who have access to any/all of these are considered ā€œinformation assetsā€. You need to have an inventory of all of those.

In this article, you will learn how to define your information assets and build an asset register:

  1. What does the standard say about information assets
  2. What are the different types of assets
  3. Asset register template

Reading time: 4 minutes

What does the standard say about ISO 27001 information assets

TheĀ ISO 27001Ā standard requires you to have an inventory of all your information assets, which they refer to as an ā€œasset register.ā€ The Asset Register should be accurate, up-to-date, consistent, and aligned with any other asset register you may already have; each asset must have an owner, and each asset must have a ā€œclassificationā€ (more on that later. It makes sense to define your classification scheme before you build your Asset Register, but donā€™t worry about it for now).

What are the different types of assets

The types of assets you need to add to your Asset Register will vary depending on a few factors but will primarily depend on where your network infrastructure is, whether you have office premises and whether you store paper documents.

We like to group assets into categories. We’ve found it makes it easier to manage and keep up to date as you can assign different people to maintain different categories.Ā 

Examples of some information assets commonly found in each category are listed below.

  • CCTV
  • Door access control devices
  • Desktops
  • Embedded system (computer system embedded within a machine)
  • Fax machines and fax servers
  • Firewall
  • Generators
  • Inverter
  • IoT device
  • Laptops
  • Networked devices (scanners, copiers, printers, etc)
  • Optical Transmission
  • PBX
  • Physical Appliance
  • Power
  • Removable media
  • Router or switch
  • Server
  • Smartphones
  • Storage solution (SAN, NAS, External hard drives, etc)
  • UPS
  • Virtual Machines
  • VPN
  • WLAN
  • Active Directory
  • OpenLDAP
  • Other directory services
  • Collaborative software
  • DNS server
  • File server
  • Microsoft Exchange and Outlook
  • Mobile applications (apps)
  • Mobile Device Management System (MDM)
  • Microsoft Office products (Word, Excel, etc)
  • Other application (bought-in)
  • Own product (external components)
  • Own product (proprietary code)
  • Relational database systems
  • Samba server
  • Web application
  • Web browser
  • Web server
  • Archived information
  • Audit trail
  • Billing
  • Business Continuity
  • Contracts / agreements
  • Data file
  • Database
  • Information processed on behalf of clients
  • Intellectual property
  • Knowledge Base
  • Maintenance
  • Paper files
  • Partner Info
  • Portals
  • Processes, polices and procedures
  • Research information
  • Storage
  • System documentation
  • Training materials
  • User manuals
  • Key supplier
  • Supplier
  • Supplier and customer
  • Commercial partner
  • Data Centre / server room
  • Factory
  • Garage
  • Home office
  • Meeting, event and training rooms
  • Office
  • Records library / archive room
  • Room / cabinet for technical infrastructure
  • Warehouse
  • People who have access to your information, be it paper based or digital, are considered to be “information assets” themselves. Those generally are people your organisation has a contractual relationship with:
  • Employees
  • Contractors
  • Freelancers
  • Supplier employees/sub-contractors

Note that the assets you MUST add in your register are Information assets. This doesn’t mean you can’t add other assets that are not related to the information you wish to protect.Ā 

Many organisations take the opportunity of building an asset register for their ISO 27001 certification to catalogue all their assets. Monitors, headsets, desks, laptop bags, desks, vehicles, etc, are often found all in the same register. Similarly, if you already have an Asset Register for large items, you may wish to use it for the purpose of ISO 27001. The choice is yours.Ā 

Asset register template

The video above walks you through the use of our free asset register template.

Note: define your classification scheme before starting on your asset register.

Note: on the people tab, if you have a separate list of staff or an HR system, you may wish to simply refer to it from the people tab as a single line. 

Actionable steps:

Download our free asset register template

The template is easy-to-use, if you get stuck refer back to the video above or get in touch.

Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.