Asset Inventory

The first edition of the ISO 27001 standard in 2005 (and its preceding BS standard issues) required that the risk assessment be built on an information security asset inventory. The latest two editions of the standard, however, separated the two by leaving the risk assessment requirements in the body of the standard and exiling the inventory to the Annex A. As if there was no relationship between the two. But there is, as risks always appear through threats of certain assets or asset groups by exploiting their weaknesses. You cannot treat risks; you need to treat the weaknesses of assets.

The inventory-related ISO 27001 standard requirement sounds like this:

“An inventory of information and other associated assets, including owners, shall be developed and maintained.” (A5.9)

The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use, and security of the assets. The term ‘owner’ does not mean that the person actually has property rights to the asset. The primary purpose of the inventory is to ensure that each asset has an owner, and through this, usage rules and security controls are assigned to them.

In order to maintain the transparency and usability of the inventory, it is definitely advisable to form asset groups. The importance of the asset inventory increases proportionally with the size of the organization, as does the importance of grouping. It is feasible to build asset classification (A5.12) on this inventory.

Theoretically, it is possible to add only information type items to the inventory and consider “associated assets” (e.g. hardware, software, services, personnel) as risks. But then you will have quite a lot of risks assigned to each asset, which may make it more difficult to comprehend.

There are basically two approaches to create relationship between the asset inventory and the risk assessment, both comply the standard requirements:

• create an inventory and assign the most relevant risks to the items in it – this is the systematic approach, but you have to be careful not to overload yourself and not to hide important information in a stack of useless; you may limit the detailed risk assignment to high value assets
• create a list of the most relevant risks as perceived by the organization and assign the related assets – this is pretty heuristic, but very focused

It is advisable to base the fulfilment of the standard requirement on the return of assets (A5.11) on an itemized inventory. The information security asset inventory can help here in identifying types of assets (e.g. media, tokens) that were not necessarily subject to a documented handover, but needs to be recollected.