Building an effective ISMS - Part 2: Asset identification

Previously

In our previous article, we explored how to lay a solid foundation for ISO 27001 certification, including strategizing and preparing essential documents. These steps are vital for creating an Information Security Management System (ISMS) that fits your organization's specific needs. Now, we're moving on to a key phase in the ISO 27001 preparation process: identifying and documenting primary and support assets.

Introduction to Asset Management

Asset management is crucial because it helps us understand exactly what we need to protect to keep our business running smoothly. It's more than just making a list; it's about understanding each asset's role in our organization and how they all fit together. 

1. Identify and Understand Your Primary Assets

Primary assets are directly linked to your organization's core functions and are indispensable for its survival and growth. Identifying Primary Assets requires a thorough analysis of your business operations to pinpoint which assets, if compromised, would significantly disrupt your business. 

Engage with department leaders to understand the specific data, processes and services they consider critical. 

They typically are one of 3 different types:

  • Data: This includes things like customer information, proprietary business knowledge or intellectual property, financial records, and any other data whose integrity, confidentiality, and availability are crucial for your business continuity.
  • Business Processes: These are the operations essential for delivering your products or services, from manufacturing lines in a production company to transaction processing in a financial institution.
  • Services: These include the essential services that your business provides to customers or relies on internally to operate efficiently. This could range from cloud-based services ensuring seamless customer interactions in a tech company, to logistic services in a retail business that ensure timely delivery of products. Identifying critical services involves understanding the services that, if disrupted, would significantly impact your business operations or customer satisfaction.

For each of the identified primary assets, we need to figure out the main stakeholders and their business requirements, because this will define the amount of effort/money we'll need to spend to protect them:

  • Asset criticality: How important is this primary asset to our business (e.g. low, medium or high)
  • Recovery Time Objective (RTO): How long can we accept a primary asset to be impacted until it starts impacting our business
  • Recovery Point Objective (RPO): If an incident happens, what amount of data is the business we willing loose to define the frequency of backups we need to take (e.g. a few seconds will be much more expensive than a daily or weekly backup)
  • Service Level Agreement (SLA): Specific contractual agreements that need to be respected 
  • Regulatory requirements: Specific regulations that are applicable to the asset
  • Any other special Confidentiality, Integrity or Availability requirements
  • Important stakeholders
  • (optionally) Financial value of the asset

Questions to Consider:

  • Can you list the data that are critical to our daily operations that when interrupted they would have a direct or indirect impact on the company?
  • What are the key processes or services, and what legal or privacy requirements do they have?
  • (RTO) After a disruption, how quickly do we need this asset to be back up and running to avoid significant impacts on our operations?
  • (RPO) How much data loss can we tolerate for this asset without it affecting our business operations?
  • For each primary asset, can you detail the specific SLA commitments, legislative and privacy obligations we must adhere to, and the levels of confidentiality, integrity, and availability that are required to ensure its security and compliance?
  • Who are the stakeholders for these critical data, processes and services?

Deliverable:

  • List with primary assets, their type (process, service or data), their business requirements and stakeholders/owner

Primary asset

Type

Requirement

Owner

Patient records

Data

Criticality: medium
RTO: 1 hour
RPO: 1 day
Regulatory: GDPR, Medical regulation
Stakeholder: Patient, Doctor Z, Relatives

Doctor X

Online banking

Process

Criticality: high
RTO: 5 minutes
RPO: 1 second
Regulatory: Finance regulation, PCI DSS
Stakeholder: Account holder, Regulator, ...

CTO


2. Support Assets: Ensuring Operational Continuity

Next up, we need to understand the dependencies for our primary assets to function well . These supporting assets ensure that our primary assets keep working as expected and can be identified during discussions with different stakeholders (e.g. IT managers and facilities managers) to understand which components are deemed critical for maintaining business operations and the physical security measures in place.

  • Technology Infrastructure: Hardware (servers, workstations) and software (databases, application servers) that store, process, and protect data.
  • Physical Facilities: Locations critical to your operations, such as data centers, offices, and any area housing sensitive information or critical infrastructure.
  • Human Resources: Employees who manage, maintain, or support your IT systems and business operations play a pivotal role in the security of primary assets.

Questions to consider

  • What technology infrastructure supports our key data, processes and services?
  • Can you identify any third-party services or suppliers critical to our operations?
  • What could break that would have a direct impact on our primary assets/business?

Deliverable :

  • List with primary assets and their supporting assets

Primary Asset

Supporting assets

Patient records

MySQL Database Server A

MySQL Database Server B

Redis Server
Patient software

Research data

Google Drive

Workstations

Transaction data

MySQL Database Server A
MySQL Database Server B
Financial software

Client information

CRM Software
Gmail
Google Drive

Product blueprints

Workstations
Confluence
Design software

Production

Machine A
Machine B
Operation manual
Trained machine operator


3. Document ownership of primary and supporting assets

Another important activity is to identify the ownership and roles for the management of both primary and supporting assets. The RACI methodology offers a structured approach to assign clear responsibilities, ensuring that every asset is properly managed and protected. 

  • Responsible (R): This denotes individuals or teams who execute the tasks and activities. In the context of ISMS, these are the personnel who implement the security controls, procedures, and policies.
    • Which team or individual directly manages or operates this asset on a day-to-day basis?
    • Who is performing the regular maintenance or updates needed for each asset?
  • Accountable (A): The single individual who is ultimately accountable (or owner) for the correct and thorough completion of the task or activity. Within ISO 27001, this is typically a senior manager or the Information Security Officer, who ensures that processes are followed and objectives are met. 
    • Who is the ultimate owner of this asset, responsible for its overall management and the outcomes of its use?
    • In case of an incident involving this asset, who is the point person for decision-making and remediation actions?
  • Consulted (C): These are the experts or stakeholders who are consulted to provide insights and information necessary for a task. Their role is to contribute knowledge and expertise to ensure the effectiveness of information security measures.
    • Which stakeholders or experts should be engaged when making significant decisions about this asset?
    • Are there any external partners or advisors that provide critical insights or expertise for managing this asset?
  • Informed (I): Parties that are kept updated on the progress or outcomes of activities, but are not directly involved in the task execution. They need to be aware of potential impacts on their areas of responsibility or interest.
    • Which stakeholders or experts should be engaged when making significant decisions about this asset?
    • Are there any external partners or advisors that provide critical insights or expertise for managing this asset?


To maintain ISO 27001 compliance as the company expands, it's essential to regularly update the RACI model and asset identification to reflect the organization's growth and changes. To do this, your asset identification and management process should include answers to the following questions

  • How often should we review and update the RACI matrix to reflect changes in our asset portfolio or organizational structure?
  • What process do we have in place to ensure new assets are promptly added to our RACI matrix, and responsibilities are assigned accordingly?
  • As our company continues to grow and change, what strategies should we implement to ensure ongoing monitoring of our assets and the seamless integration of new ones into our existing model when needed?

Deliverable:

  • List of assets (primary and supporting) with the different RACI roles
  • A process document describing how asset identification and management implemented

4. Initial Risk Identification

During the asset identification process, engaging in conversations with various asset owners not only helps in pinpointing the primary and support assets but also serves as an opportune moment to start gathering insights on any known risks that these assets might be exposed to. 

This step is crucial as it complements the identification of internal and external issues we tackled earlier in our ISO 27001 preparation journey, providing a more comprehensive view of the potential challenges that could impact the organization's security posture and business continuity.

Identifying risks early in the asset identification process allows organizations to proactively address vulnerabilities, ensuring that subsequent steps in the ISMS implementation, like risk assessment and the development of control measures, are well-informed and targeted. Here's how we can delve deeper into this crucial aspect:

Questions to consider:

  • What specific threats have we identified in the past related to each asset, and how might emerging threats impact these assets moving forward?
  • Considering the criticality of each asset, what potential vulnerabilities could be exploited, and what would be the consequences of such incidents?
  • How have changes in our business operations, technology, or external environment introduced new risks to our assets, and how are we monitoring these changes?
  • Can you identify any dependencies between assets that might compound risks or introduce new vulnerabilities?

Deliverable:

  • Update to​ the internal and external issues identified during the previous steps

5. Confirmation by Top Management

The last step in solidifying your organization's commitment to its Information Security Management System (ISMS) is obtaining formal approval from top management. This step is about making sure that the leaders of your organization are fully on board with the primary/supporting asset matrix, the detailed RACI chart, and the related risks that are known to the company. It's not just about ticking a box; it's about ensuring that the people at the top understand and support the foundation you've built for your organization's security posture.

Deliverable:

  • Formal ​confirmation on the identified assets, their business requirements and the related responsibilities

Conclusion

We've now established a comprehensive framework for managing our assets, crucial for building our Information Security Management System (ISMS). Through detailed discussions, we've identified our primary and supporting assets, understanding not just their value but also the roles various team members play in their management, thanks to the RACI methodology. 

As we wrap up this preparation phase of our ISMS, it's clear that the engagement and confirmation from top management are not just formalities. They're essential in ensuring that our ISMS has the support and understanding it needs at every level of the organization. This backing is what will drive the ISMS's success, aligning our security measures with our broader business objectives.

Moving Towards Risk Assessment

Our next step is to dive deeper into Risk Assessment. This phase is where we'll evaluate the threats, vulnerabilities and impacts facing our assets in more detail, developing strategies to mitigate identified risks. It's a critical process that will further refine our ISMS, tailoring it to our organization's specific needs and ensuring that we're not just compliant with ISO 27001 but also genuinely protected against the evolving landscape of information security threats.

Stay tuned as we take this next step, armed with a solid understanding of our assets and the foundation we've built together. The path to ISO 27001 certification is complex, but with each phase, we're building a stronger, more secure future for our organization.


Start for free now! 

Streamline your GRC work using our all-in-one management solution and get access to our network of local specialists

Start your free account

Building an effective ISMS - Part 1: Setting the stage