One that the first steps in setting up an info security management system is to develop an list of info assets. It is in vital step come make sure the right procedures will it is in taken: the assets are the basis because that identifying risks, and also thus because that the procedures that will certainly be bring away to alleviate risks.

You are watching: What is the purpose of identifying it assets and inventory?

What is an info asset?

As info asset is any beneficial information that the organisation has. An important here method that the organisation either obtained it at some cost, is actively using it now in some process or could use it because that some purpose in the future. The an interpretation of an asset is on purpose wide: it is important to identify all type and species of assets.An information assets can have countless different forms: it deserve to be a record document, a digital document, a database, a password or encryption vital or any kind of other digital file.Each legacy is save on part carrier favor paper, a USB stick, difficult drive, laptop, server, cloud or backup tape. The is not necessary to additionally identify every carriers. However if you believe that you could have particular risks that count on the kind of transport (e.g. Because that data top top USB rod or paper documents) girlfriend can add ‘other details on USB sticks’ as an asset come make sure your inventory is complete. The danger inventory is a device that should aid you understand and improve security.

What is in the inventory?

In order come comply with details security finest practices, there is some minimal compelled information per asset. Us have noted these item below. It is permitted to add additional fields to make the inventory more useful to your organisation.The required fields are:

Name and also description: it should be clean for world inside the firm what is meantOwner: every asset must have actually an owner that will certainly take last decisions on what should take place with the asset. It need to be a service owner: the it departement or info security team should not be owner of any type of asset. Commonly the owner is a director or an elderly manager, since the owner have to also carry out the budget for managing or boosting the asset.CIA. Information security is identified as confidentiality, integrity and availability of information. You have to make clean which of these three use to her asset. For countless assets it is all three (label: CIA). Because that published info confidentiality is no an concern so they have to be labeled IA.Personal data: There space in most countries special rules because that the treatment of an individual data. This data should have extr protection. It is important to know which assets contain an individual data so that anyone can check whether this assets have this additional protection.Access. It is not acceptable to provide anyone in one organisation accessibility to all assets. For instance PCI-DSS explicitly forbids such a straightforward access model. You need to specify roles (e.g. Client service, developers, operations staff, directors, HR) and specify using these roles who should have access.

The illustration below shows what a minimal inventory might look like. It is a screenshot of ours assets-risks excel template. Excel or an additional spreadsheet program, in mix with a shared drive, dropbox or cloud account is one method one can maintain the assets dangers inventory.


Asset categories

In bespeak to find all info assets, it is advantageous to usage categories for different varieties of assets. The categories deserve to be used as a checklist, to make sure one has actually thought of every aspects. We use ‘PEES DOT’ as a basic categorisation, both for risks and also assets (see our hazard assessment approach). The category descriptions are:

People: Information easily accessible to one human being or connected to unique roleEquipment: info inside or produced on/by specific devicesEnvironment: Information linked to determinants outside the company, e.g. City, regionSoftware: details stored by single IT systemsData: Structured info not attached to one software program system. Contains user produced contentOrganisation: any kind of information about the organisation, e.g. Org structure, processesThird parties: details from or regulated by details suppliers, customers or partners

If friend involve human being from every departments, and also you questioning them to think about all the PEES dot aspects, you should acquire a finish overview of all assets. Over there are more than likely some assets that fit into multiple categories (e.g. Database for particular software). This is not a problem, just pick a category that fits well. PEES period is no mandatory however a beneficial tool for discovery.


How to do the asset inventory

Creating the asset inventory is one of the very first actions the an info security team. As soon as we help teams with information security, we often do a an initial start in a workshop v the information security team and also some representatives from management. This renders sure that team and management gain a common understanding of information security priorities. The process can be an informal scrum process: participants very first write down their input because that themselves. Climate they share their results. After ~ the workshop, the details security team completes and maintains the information assets inventory.The inventory must be updated when extr assets room uncovered. Brand-new assets are often found in threats workshops (see this write-up on risk management), due to the fact that each threat is generally linked come an asset. Every time this happens, the information asset inventory must be expanded with the brand-new asset.The info asset inventory have to be validated frequently by the management and also the heritage owners. Management should inspect that all assets the they recognize of and care about are present. The asset owners should check whether lock recognize and also understand all assets that space assigned to them, and also are willing to be responsible for invest decisions for these assets.

See more: Why Was The Engineer Driving The Train Backwards Worksheet, Why Was The Engineer Driving The Train Backwards

Maintaining the heritage inventory

The legacy inventory have to be updated repetitively by the info security team based on new assets, risks, workshops, incidents and also questions from various other staff. It need to be validated routinely by management and also owners, for circumstances every quarter or every 6 months. We recommend to plan a constant information protection review meeting, where among the item on the agenda is the information asset inventory.

Further reading

This short article is part of a series of blog post on information security and also information security certification. The recommended reading order is: