ISO 27001 is an international standard that focuses on information security. This standard guides the establishment, implementation, maintenance, and continuous improvement of an information security management system (ISMS). To achieve compliance, you need to:
- Understand what data assets you hold, their value, and who the asset owners are
- Effectively prioritize security controls and processes
- Properly protect your critical assets, including their confidentiality, integrity and availability (the CIA triad)
- Implement risk management by assessing the value of your data and the impact if specific data is lost, misused or compromised
The standard is voluntary, but companies around the globe choose to follow it. The requirements are appropriate for organizations of any size across all industries, particularly in today’s data-rich yet risky environment. Complying with ISO 27001 shows auditors and customers that a company has appropriate levels of protection in place for its valuable information. It also helps companies comply with legal requirements, achieve a competitive advantage, improve productivity and reduce costs.
ISO 27001 is divided into annexes to address specific areas. In this article we will explore the key requirements of Annex A.8, which regulates asset management.
Annex A.8: Asset Management
Annex A.8 specifies the types of controls organizations need to implement in order to ensure accurate identification of information security assets, designate responsibility for security, and ensure data assets are protected based on their classification levels. The controls defined by the regulation that are divided into technical, organizational, legal, physical and human resource controls.
Note that ISO 27001 does not specify an exact list of sensitive assets; your organization makes that decision using its best judgment.
The annex is broken into three main subparts, which are described briefly below. Then we will take a deeper dive into the second subpart, which concerns data classification.
A.8.1 Responsibility for Assets
The objective of A.8.1 is to identify the data assets that are within the scope for the ISMS and to define protection responsibilities. Run a discovery to identify all information assets within your organization, such as paper records, digital files, removable devices and email. Then create an asset registry. For each asset, assign a data owner the responsibility of protecting it.
A.8.2 Classification of Assets
Classifying your assets is one of the most important steps you can take to secure your data properly and make it accessible to those who need it. Classification enables you to protect each asset at the appropriate security level: You expend fewer resources on less sensitive data and provide strong protection for your most sensitive assets.
A.8.3 Procedures for Media Devices
Subpart A.8.3 is designed to help organizations prevent the unauthorized disclosure, modification, removal or destruction of information stored on removable media, such as thumb drives, CD-ROMs and detachable hard drives. It also includes controls for the proper disposal or transfer of these media to protect against data breaches, such as using authorized couriers and safe packaging and keeping a log of all data content and its level of protection.
A Deeper Dive into Annex A.8.2: Information Classification
As discussed above, Annex A.8.2 covers classifying data and labeling each asset according to its sensitivity or importance to your organization, so that you can implement appropriate protections (such as access restrictions) based on those levels. Here are the subparts of Annex A.8.2.
A.8.2.1 Classification of Information
The ideal information classification scheme is one that reflects business activity, rather than inhibiting or complicating it. Build your scheme according to your data’s sensitivity, legal requirements, criticality and value, so you can give each asset an appropriate level of protection.
Most companies begin with just three or four categories. For example, the classification scheme for the University of Bath in the United Kingdom sorts information into these groups:
- Highly restricted — Requires significant security measures with strictly controlled and limited access.
- Restricted — Requires security measures and limited access but not significant or strictly controlled.
- Internal use — Requires no additional protection.
An example of a classification scheme with four categories is confidential, restricted, internal and public.
A.8.2.2 Labeling of Data
Both physical and electronic assets should be labeled with their categories. Labels should be easy to manage so that employees will use them appropriately. For instance, you can label paper documents by stamping them as “secret” or “confidential.” Electronic data is typically labeled using metadata.
A.8.2.3 Handling of Data
Data handling refers to how the data may be used and who may use it. For example, you can decide that certain data assets can be read but not copied by certain groups of users.
There are multiple controls for enforcing data handling policies. You might require your most sensitive assets to be encrypted so that only individuals with a particular clearance can open it. Important physical assets can be kept in a locked cabinet or safe. Procedures for media devices should comply with A.8.2.3.
How Netwrix Can Help
- Discover and classify data across your various repositories.
- Identify security gaps through continuous risk assessment
- Detect anomalous activity
- Quickly spot and investigate threat patterns
- Establish strong data access governance
Even better, the platform supports both on-premises and cloud data systems, and both structured and unstructured data.