ISO 27001 Annex: A.8 Asset Management

A.8.1 Responsibility for Assets

ISO 27001 Annex: A.8 Asset Management – Identifying and establishing acceptable security responsibilities for the organization’s assets is its objective.

A.8.1.1 Inventory of Assets


A list of all assets about information and information facilities of an organization should be maintained, as well as a record of these assets.

Implementation Guidance

It is expected that an organization would identify and document the essential assets of information. A life cycle of information includes the creation, processing, storage, transmission, erasure, and destruction of data. The documentation of current or specific inventories should be kept, as needed.

All assets on an inventory should be up-to-date, accurate, compatible, and synchronized with other inventories. A specific classification should be assigned to each asset, as well as an assessment of the asset’s ownership status.

Other Information

Asset inventories can aid in the safeguarding of assets, for instance, for health and safety, insurance, and financial purposes (asset management). Similarly, this may be achieved for other factors as well.

ISO/IEC 27005[11J lists assets that should be considered by the organization. A critical risk management requirement (for instance, ISO / IEC 27000 and ISO / IEC 2700511 standards) is how asset inventories are produced.

A.8.1.2 Ownership of Assets


Each asset must have its owner (asset-owner)

Implementation Guidance

As owners, individuals must have management authorization and be in charge of all assets throughout their lifetime.

To ensure timely assignment of asset ownership, a process is usually followed. When creating assets or transferring assets to an organization, ownership should be allocated. Owners of assets should manage them appropriately throughout their entire life cycles.

The asset owner has the following responsibilities:

– Maintaining an accurate inventory of assets
– Ensure proper asset classification and security
– Establishing and updating access constraints following existing access management policies, and classifying important assets;
– Maintaining proper asset management after deletion or destruction

Other Information

An asset owner may be either an individual or an entity who has full management control over the asset. Assets do not necessarily belong to the defined owner.

Routine duties can also be assigned, such as care of the properties by a custodian, but ultimate responsibility rests with the owner.

Complex information systems can benefit from identifying resources that provide a specific service. When this occurs, the owner is responsible for all services, including the asset’s operation.

Related Questions

1. What is ISO 27001 Annex A.8 Asset Management?
2. How do asset management companies work?
3. What types of asset management are there?
4. What are the benefits of asset management?
5. What controls are contained in ISO 27001 Annex: A.8 Asset Management?

About Author /

Start typing and press Enter to search