Creating the Asset Inventory

Effective risk management requires knowing what you are protecting. The asset inventory forms the foundation upon which all subsequent security activities depend. You cannot protect assets you do not know you have, and you cannot prioritize protection without understanding relative criticality.

Defining Information Assets

The concept of "asset" in ISO 27001 extends far beyond servers and laptops. Information assets include the data itself regardless of where it resides or its format. Customer databases, intellectual property, financial records, and employee personal information all represent information assets requiring protection.

Supporting assets enable information processing and storage. Hardware encompasses servers, workstations, mobile devices, networking equipment, and storage systems. Software includes operating systems, applications, databases, and cloud services. Physical assets include buildings, data centers, and secure areas.

Intangible assets often receive insufficient attention. Organizational knowledge and expertise, business processes, reputation, and third-party relationships all represent assets that security programs must consider.

Conducting Asset Discovery

Start with structured interviews of business unit leaders to identify critical information and supporting systems. Technical discovery tools can scan networks to identify hardware and software, but they cannot identify information assets or assess business criticality.

Review existing inventories from IT asset management, configuration management databases, and software license tracking. These provide starting points but typically require significant enrichment to serve ISMS purposes.

Do not attempt to inventory everything immediately. Begin with assets supporting critical business processes and expand systematically. A complete but unmanageable inventory serves no one.

Classifying Assets

Classification enables proportionate protection. Not every asset requires the same level of security investment. Classification schemes typically assess confidentiality, integrity, and availability requirements separately, though composite schemes are also common.

Confidentiality classification might distinguish public information anyone can access, internal information for employees only, confidential information for limited distribution, and highly confidential information requiring explicit authorization and tracking.

Integrity classification assesses consequences of unauthorized modification. Some information tolerates correction after the fact while other information requires prevention of any unauthorized change.

Availability classification considers how long systems can be unavailable before significant business impact occurs. Critical systems may require immediate recovery while others can tolerate extended outages.

Assigning Ownership

Every asset needs an owner who bears accountability for its protection. Asset owners typically are business stakeholders who understand the value and use of the asset rather than IT personnel who happen to manage it.

Owners are responsible for determining classification, approving access, assessing and accepting residual risk, and ensuring that controls are implemented and maintained. This accountability cannot be delegated to IT without business involvement.