An essential part of most of a management systems is to have a detailed asset management with their business requirements. As you might have discovered already, our Inventory overview already helps you with this by providing you a general asset inventory. On the asset management page we help you document some additional details of your assets, while distinguishing between your primary and supporting assets.
Primary assets are you core services/processes/data that are critical to your business. If there is any impact on these assets, your business will have an important financial or reputation impact. So they must be protected accordingly.
Supporting assets are those assets that support the primary asset, and could have an impact on the primary asset if they are interrupted in some way.
Using our asset management page you will be able to document your primary assets and its responsible/accountable people, supporting assets, business requirements and related risks.
- This column shows the primary asset name (by clicking on the name, the related document opens as a popup)
- This column shows the asset responsible (daily ownership) for the primary asset (by clicking on the name, the related document opens as a popup)
- This column shows the asset accountable (who takes ownership if a situation occurred) for the primary asset (by clicking on the name, the related document opens as a popup)
- The data shown in this column is auto-generated based on linked documents to the primary asset. On the add/edit primary assets screen you can modify which document types are shown in this column). By clicking on one of the supporting assets, the related document will open
- This checkbox loads additional risk information (risk document properties and last reading) and adds a color to the different risks. (once this is loaded you can sort on Related risks)
- This is a free text field that defines the different business requirements of the primary asset (e.g. RTO, RPO, ...). You can find more details on this in the section Business requirements below.
- The text you type will quickly filter based on following fields: primary asset name, asset responsible/accountable or the supporting asset
- The data shown in this column is auto-generated based on linked documents to the primary asset. On the add/edit primary assets screen you can modify which document types are shown in this column). By clicking on one of the risks, the related document will open
- This button's purpose is described in more detail under the "Add/edit primary assets" section below
- Here you can configure which columns of the table should be shown and export the list to Excel
- Here you can either update the settings as described in Add/edit primary assets, or remove the primary asset from this screen (the document itself will not be removed)
Add/edit primary assets
When you click on the "Add Primary Asset" button, you will be asked to provide the primary asset name. When you type a name, it will search for existing documents with a similar name in your Workspace that can be added as "Primary asset" using the LINK dropdown. When using existing documents, the supporting assets and related risks will automatically be collected and filled in based on the linked documents of the selected document.
In case you select CREATE, you will be shown an additional screen where you can define the document type, the title and other details related to the document type. (similar to when you create any document)
Remember that this document is created in the current folder you are in (which could be your personal INBOX). Later you can simply move it to another folder where it makes sense
The next screen will allow you to configure all the details of your primary asset. The same screen will be shown if you click the update primary asset (L) on the primary asset list screen
- This is the primary asset document you just created (or linked to)
- Here you can search for any document of type Employee, Consultant, Intern, Role (or create a new one) that will be responsible for the primary asset
- Here you can search for any document of type Employee, Consultant, Intern, Role (or create a new one) that will be accountable for the primary asset
- This filter allows you to configure which document types are automatically linked as "Supporting asset" based on linked documents already present on the primary asset
- Here you can still manually add/modify the supporting assets
- This is a free text field for which we give some additional guidance on the Business requirement section below
- This filter allows you to configure which document types are automatically linked as "Related risks" based on linked documents already present on the primary asset
- Here you can still manually add/modify the related risks
Documents you link using the above screen, will also appear as linked documents on the corresponding documents (making them a dependency)
The filter configured in (4) and (7) are global and will apply for all primary assets (not only for the current primary asset)
These requirements can be different depending on the management system you are trying to implement. Here we give an example of typical requirements for ISO27001 assets. You will typically need to organize workgroups with the different asset accountable (owners) to fully understand the requirements.
This defines the level of discretion/privacy that is required for the primary asset (and therefore its supporting assets).
e.g. The personal data may not be accessed by unauthorised users
This defines the level of integrity (or accuracy and completeness of data/information/process) that is required for the primary asset (and therefore its supporting assets)
e.g. The databases used for this service must ensure transactional accuracy
This defines the level of availability (having access when needed) that is required for the primary asset (and therefore its supporting assets)
e.g. The servers serving this process must be able to survive the full outage of 1/3 data centers
This defines the level of proof (documented evidence) that is required for the primary asset (and therefore its supporting assets)
e.g. The financial regulator requires that we store daily records of all transactions for this process
The recovery time objective (RTO) is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected incident (disaster, failure, or comparable event) takes place.
e.g. Our SLA requires that this service is again online after 30min, otherwise this will be very costly to our company
The recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from an incident (disaster, failure, or comparable event) before data loss will exceed what is acceptable to an organization.
e.g. If we cannot restore data from at least 24h before the disaster, it will be fatal to our company
These can be specific requirements to the primary asset bound to geography, type of processing, type of data, ...
e.g. All processing of European data subjects is subject to GDPR regulation