ISO 27701, Clause 6.5 – Asset Management

ISO 27701 Clause 6.5.1.1 – Inventory of Assets

References ISO 27002 Control 5.9

Categorising Inventories

To increase privacy protection, organisations should maintain an accurate, up-to-date, documented list of information and assets, including the ability to reference inventories across the organisation.

There are several ways in which organisations can improve their inventory operation, including:

• Regularly reviewing the contents of an inventory, against what is actually held by the organisation.
• Whenever an asset is changed, introduced or removed by the organisation, implementing procedures that automatically update the inventory as part of the change process.
• Ensuring that inventories contain a ‘location’ field, to easily identify the whereabouts of each asset.

Inventories don’t need to be one large list of every physical and digital asset held. Instead, ISO encourages organisations to segregate out inventories on a category-by-category basis, including separate inventories for:

• Information assets.
• Hardware and software.
• Virtual machines (VMs).
• Facilities equipment.
• Personnel records.

It’s important to note that – in the case of certain assets – not all information is able to be regularly maintained, and there isn’t a need to include every last asset across the organisation’s entire physical and digital holdings – e.g. short-lived VMs that carry out a singular purpose for a short time, before being removed.

Ownership

All categorised assets should be given an official ‘owner’ – be that an individual, or a group (see ISO 27002 5.12 and 5.13) – which should change when job roles commence, cease or are amended.

Asset owners should ensure that:

• All assets are correctly recorded and classified in an inventory.
• Classifications are subject to periodical review.
• All technology components are listed accordingly, and separately from physical assets (e.g. DB components).
• The organisation adheres to an acceptable use policy (see ISO 27002 control 5.10).
• Restrictions are placed on certain asset clarifications, and are reviewed at appropriate times.
• Whenever the organisation needs to delete or remove data from its inventory, that such data is disposed of securely.
• Risk management is front and centre of all asset handling activities.
• They offer adequate support to any personnel involved in privacy protection and information management.

Relevant ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13

ISO 27701 Clause 6.5.1.2 – Ownership of Assets

References ISO 27002 Control 5.9

See ISO 27701 clause 6.5.1.1

ISO 27701 Clause 6.5.1.3 – Acceptable Use of Assets

References ISO 27002 Control 5.10

All personnel within the organisation who handle information or physical and digital assets should be made explicitly aware of their responsibilities towards privacy protection, including any general or topic-specific security requirements.

Acceptable use policies should clearly outline:

• How the organisation classifies acceptable and unacceptable behaviour, within the scope of privacy protection.
• How information (specifically PII) is allowed to be used across the network.
• How the organisation intends to monitor the use of assets.

Procedures should be implemented that take into account the full lifecycle of PII, including:

• Access restrictions that are relevant to PII.
• A clear and up-to-date record of who is allowed to access PII data and related assets, and under what circumstances.
• Adequate levels of security and storage for PII data – including temporary copies.
• Taking into account the manufacturers recommendations when storing assets associated with privacy protection (see ISO 27002 7.8).
• Clearly labelling all storage media with the details of the authorised user/recipient (see ISO 27002 7.10).
• How PII data and associated assets are removed from the network and/or deleted and disposed of.

Relevant ISO 27002 Controls

• ISO 27002 7.8
• ISO 27002 7.10

ISO 27701 Clause 6.5.1.4 – Return of Assets

References ISO 27002 Control 5.11

Asset management procedures also need to include explicit guidelines on how the organisation manages the return of assets that have been involved in the processing or storage of PII, and other privacy-related information.

Whether personnel have used their own devices, or have been assigned an organisational asset, processes need to be put in place that safeguard PII by removing the data from the asset in question, and transferring information back to the organisation.

If personnel are subject to a notice period, organisations should take steps to ensure that PII is not compromised in any way by the off-boarding employee – including unauthorised sharing, transferring or deletion.

Organisations should develop workflows that cover the return of all assets involved with processing or storing PII, including (but not limited to):

• Devices (laptops, mobiles, tablets etc).
• USB drives.
• Authentication tools and hardware (VPN validation assets and tokens, door/premise entry equipment.
• Hard copies of PII.

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

How do we help?

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27002 and ISO 27701 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27002 and 27701 certification using ISMS.online.

Find out more by booking a hands on demo.