What is an “information asset”?
It is something that is of value to the organisation that it is theoretically possible to print on paper. Of course it would be ridiculous to try to print a database with 2 million records but it is theoretically possible to do so.
This could be things like credit card data, PII, personnel paper files, payroll data, health records, board minutes, product designs, customer details, intellectual property, pricing details, source code, customer database, logs.
By this definition the following things are not information assets – people, servers, laptops. They could be considered “assets” of an organisation but they are not “information” assets.
This could also include some things that might not actually be “written” down. As an example there may be some business process that are currently only in someone’s head and not written down anywhere. There might also be some important business processes “inside” a machine. As an example, a machine tool may be programmed with a series of instructions that are not actually written down anywhere but are nonetheless very important to the organisation. These unwritten business processes can be considered information assets as it is theoretically possible for these to be written down and printed. And perhaps they should be.
How formal you want to be about this is up to you. Some people find it useful to have an “information asset register” which lists out the information assets and some attributes of the assets – e.g. owner, criticality, etc. But only do this if you get some value out of it. This is not the same as an IT asset register that is a list of things like servers and laptops.
领英推荐
If you want to protect your information assets then you will also need to protect whatever is “hosting” the information assets. I.e. where the information is stored/kept/processed. This could be servers, networks, machines, cupboards, buildings, paper files, etc. As noted above there might also be some people/machines who “host” such valuable information that is not written down anywhere. The things that “host” information (e.g. servers) are sometimes called “supporting” or “secondary” assets in the context of information management. These need protecting but as I say, they are not "information" assets.
From an ISO27001 perspective it is worth noting that it does not mandate that an organisation must have an information asset register. However, it is reasonable for an organisation to have a good understanding of their “information assets” as without such an understanding an organisation cannot properly manage their “information”. Kind of obvious really.
Chris
Thank you Chris for another post providing much clarity
IT Governance/ IT Service Management/ Business Continuity / InfoSec & Risk management
2 年Great article, it surprise me how many organisations including auditors misinterpret this basic requirement
?? Your vCISO & Auditor | ISO27001 | ?? Cloudsecurity | Compliance | We automate your security, you focus on your business ?? | Head of Compliance @ PCG (formerly WHYSEC)
2 年Great article Chris Hall. You talk about optionally listing information assets and differ between an ?it-asset register“ and others. Would you then start listing your asset categories/groups in a simple table and then breakdown the respective systems which contain details on the ?assets“, e.g. HR system, it asset management system… or would you prefer covering all asset categories (HW,SW,network, cloud and non it related ones like building, org…) in one DB? I have seen great tools out there to cover the topic asset management holistically.