CHAPTER 6:
ASSET IDENTIFICATION
The first step in meeting the ISO27001 requirements for risk assessments is to identify all the information assets (and ‘assets’ includes information systems – which should be so defined in your information security policy) within the scope (4.2.1 - a) of the ISMS and, at the same time, to document which individual and/or department ‘owns’ the asset.
The asset identification exercise can only take place once the scope9 has been finalised.
Asset classes
ISO17799 identifies, in A.7.1.1, the six classes of assets that have to be considered, each of which should be referenced in your information security policy statement. They are as follows:
• Information assets includes information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web sites, extranets, intranets, PCs, laptops, mobile phones and PDAs as well as on CD-ROMs, floppy disks, USB sticks, backup tapes and any
9 It is critical that the scope of the ISMS be properly defined. The scoping requirements are discussed at length in chapter 6 of Information Security Risk Management for ISO27001/ISO17799 (Alan Calder and Steve G Watkins, ITGP, 2007, www.itgovernance.co.uk/products/789).
other digital or magnetic media, and information transmitted electronically by any means. It includes databases and data files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archived information.
• Software, which includes the sets of instructions that tell the system(s) how to manipulate information (ie, the software: operating systems, applications, development tools, utilities, etc).
• Physical assets and hardware on which the information is manipulated: the computer and communications equipment (including, for instance, laptops, mobile phones, PDAs, etc), removable media (eg, USB sticks, CD-ROMs, backup tapes, etc) and infrastructure assets, such as server rooms, copper cable, fibre circuits, etc.
• Services on which computer systems depend: computing and communications services, and general utilities such as heating, lighting, power and air-conditioning (burglar alarms might also be included).
• People, who carry much information in their heads, and the qualifications, skills and experience that is necessary for their interaction with the organization’s data.
• Intangibles, such as intellectual property, reputation, brand image, etc.
Grouping of assets
It may, in some circumstances, be beneficial to group individual assets. BS7799-3 says: ‘Grouping similar or related assets into manageable collections can help to reduce the effort necessary for the risk assessment process’ (clause 5.2). The key, here, is to ensure that the aggregation of assets into groups does not override the benefit of identifying threats and vulnerabilities at an individual asset level.
Asset dependencies
In some cases, the dependency of one asset on another might affect the valuation of both assets and these dependencies should be identified during this phase of the project. For instance, if the integrity of data output from a program depends on the integrity of the data input, then the value of the second depends on that of the first. The integrity of the data might also be dependent on the availability of the power supply and the air conditioning. The confidentiality requirements of a specific data asset might require other assets in which it is manipulated or stored to be protected to a higher degree than might otherwise be the case.
Sensitivity classification
The asset owner is also responsible for determining the sensitivity classification of the asset. Control A.7.2.1 requires every information asset to be ‘classified in terms of its value, legal requirements, sensitivity and criticality to the organization’. The organization should have standard classification guidelines (there are comprehensive descriptions10 of how such guidelines should be developed and applied), and there needs to be a direct relationship between the allocated sensitivity classification of an asset and the impact of its security being breached. As a general guide, those assets that have a high impact valuation, particularly for confidentiality, are likely to have a high sensitivity classification, although other factors may also need to be considered.
10 See, specifically, chapter 8 of International IT Governance: an Executive Guide to ISO27001/ISO17799 (Alan Calder and Steve G Watkins, Kogan Page, 2006, www.itgovernance.co.uk/products/474).