How to create an asset management policy in around 10 minutes

In todays blog we’re going to talk about how you can create an asset management policy for complying with ISO 27001 as well as other information security related standards like IASME Cyber Assurance in around 10 minutes.

So in today’s blog we aren’t going to cover asset management in too much detail, as in how to log it, ownership of it and so forth, as we’ve already covered how to create an asset register. So if you haven’t got an asset registered fully populated and up to date, stop now, get your assets logged and see where you are.

Then come back to this blog article and lets get started on your policy. Ok, so what is an asset policy and what does it cover? Its as the name says it’s a documented policy which explains how you are going to be managing your assets, this will work closely with your asset register.

This policy doesn’t have to be huge, but it does need to include a few key areas, which we’re going to discuss now.

The document or policy, will include what the purpose of the policy is, this should be at the start of your policy, then you will have a scope of what the policy covers, the inventory of your assets, so your physical and virtual assets, your electronic data, your paper based assets, like licensing and so forth.

Next up, there will be a section about the ownership of assets, so who owns what.

We’ll document what is accessible when it comes to using assets and what happens when assets need to be returned.

Then finally we will look at the compliance of the policy, we’ll document and look to see how we measure what is compliant against the policy and what isn’t and what you will do about it.

So lets get started and cover each section and see what you need to do to get your policy created.

As we said, right at the start of your asset management policy, you will need a section for the purpose of your policy, you will need wording which says something similar to, the purpose of this policy is for the management and identification of assets within the business.

Obviously it goes without saying that make sure that everything within this policy reflects the real-world within your business.

Then, once we have the purpose written up, the next section is the scoping of the policy, so what does this policy apply to.  Ideally you should be looking for the policy to apply to all employees and third-party users who access business information and services and you should also ensure that you include all company information and physical and virtual assets.  If needed, you can also include paper based assets, but this can depend upon your business.

Now that the have the scope agreed, we can work on the big part, the inventory of assets, mainly the physical and virtual based assets within the business.

So this section can be broken up into a few sections, first we need to state what we care looking for, so we need to state that all assets that store and process and transmit information on both physical and virtual devices (and maybe paper based, if required) are to be identified and maintained. So this relates to your asset register.

You should then go on and state that for every asset which is logged that the following information is logged, again this should tie up with your asset register.

But you should be looking for.

  • A unique asset number
  • The asset name
  • The asset owner
  • The importance of the asset
  • The classification of the asset, is it confidential or publicly available
  • Is the asset in use
  • What does the asset do
  • Where is the asset located
  • And a description of what the asset does with the information being processed or transmitted.

Again these are only the basics and you should look at your business and your business requirements and decide what information you need to keep and could be important to your business when it comes to auditing purposes.

Then you should have a section on ownership on answers, this is exactly what the description says, listing who has access to what. So what users, groups, roles have ownership of the assets.

You should ensure that all assets do have a owner, and that the own is who they are meant to be, especially if assets have been repurposed for use.

You should also detail information about asset handling and how information or assets are destroyed or wiped if no longer required.

Next we should have a section on what the acceptable use of assets are, what can users or asset owners do and cant do with them.. This should align with the acceptable usage policy.

Then, you should have a section on the returning of assets, so if they are no longer required, or someone leaves the business what is the process of receiving these assets back and ensuring that all information is returned.

Lastly, you should have a policy compliance section, this section should detail what should happen if anything within this policy is not met or does not work, this can fall inline with your internal audits.

So you look for any non compliance, exceptions or areas for improvement.

And that is it, as you can see this doesn’t have to be a big document, but you have key areas which you need to document.

You can download an example asset management template here: