Let’s chat
0330 043 0826 | [email protected]
InfoSec Governance Logo

How to build an asset register quickly and easily

In today’s blog article we’re going to be talking about asset registers and how you go about creating one and what type of registers you need as best practice.

To get the best out of your business, you will require two types of asset registers, one for all your physical devices, but specifically devices that can store, process, and transmit personal information, and everything else that has a cost to the business.

And you’ll also require an informational or data asset register.  This register is generally based around assets that are again process, transmit or store electronic data and which can be linked to your GDPR related data flows and mapping information.

Now both of these registers can be stored within the same workbook, simply placed within separate sheets for ease.

When it comes to your physical asset register, we’re going to be concentrating on devices, such as your pcs, laptops, servers, printers, mobile devices, any removable media you have, and this even includes wireless devices and so forth. Now for completeness you should also look at everything else within your business that has a cost. For example, shredders, NAS drives, even cars.

So how do you go about starting to create and populate an asset register? As a good starting point, if you are using Microsoft Active Directory, or Azure directory, or some sort of Mobile Device Management (MDM) you can export a list of devices out of this.

If you’re using something else or are not using a directory service, you may have to manually go around and inspect all assets unfortunately, this could be very time consuming. But it will be worth it in the end.

When it comes to creating an asset register, the easiest way to create one, is by simply using Microsoft Excel, Google Sheets or some other spreadsheet product.

Now theres no right or wrong answer when it comes to what information you need to log, but the following ones are what should be listed as a course of best practice.

  • An Asset number, this should be a unique number
  • Serial number of the device or asset
  • An asset owner, who is using and owns this asset
  • The status, is it in use or not
  • Data assigned to the asset owner
  • Date returned, if no longer in use by the owner
  • Date the asset was last checked
  • You can also have a column to say has it been patched and does it have anti-malware installed
  • Then you should also have the name of the person who checked the asset
  • You should have a description of the asset, what is it? It doesn’t have to be a lot, but be meaningful to someone reviewing the assets
  • You should look at having a column for saying what the asset does, does it have a specific function, for example domain controller, database or finance server
  • A column for what data is held on the asset should be included, is it personal information, marketing information, emails, databases etc.
  • How important is the asset to the business, for example: high, medium and low
  • Ideally you should have a classification column, is the asset listed, confidential, internal or public use?
  • You should have a location column, so you know where the asset is, is it at the head office, at home, on another site etc
  • Another good column, which is always nice to have is the asset cost, what’s the cost of the asset to the business? So if it gets stolen or lost, you know what the cost is.
  • Then lastly you should look at having a notes column and put any notes in there that may be of use to you.

And that’s it for the physical asset register, it sounds a lot, but doesn’t take that long to complete once you get started.

Now, when it comes to your informational asset register, this based around the similar guidelines, you need to identify what informational resources you have and log them.

So for this register you could have the following, again this is not set in stone to adjust for your business.

But we’d be looking for the following:

  • An Asset number, this should be a unique number
  • What is the asset, is it paper based, electronic etc
  • What does the asset do
  • Where is it located, for example onsite, in the cloud, which provider etc.
  • Who is the asset owner or 040team of people responsible for it
  • Does it process personal information
  • Who has access to it, ideally this should be group based access
  • What is the information classification, confidential, public, internal
  • Is this shared externally?
  • Retention period, for you to keep the information
  • Date last time it was checked
  • And a notes column

So once you have your physical and informational asset registers created and populated, you can be confident that you know what assets you have, where they are located, who they are allocated and so forth. This helps immensely if you are looking to go to IASME Cyber Assurance, or ISO 27001.

You can then also look at tying these assets to your risk based asset register so they link together.

You can download an example basic asset register here https://isgovern.com/wp-content/uploads/2024/05/Basic-Asset-Register.xlsx