What is Annex A:8?
The A:8 clause of Annex A inside ISO 27001 is all about managing your business’s assets. It lists a set of valuable requirements for any business to meet in order to maintain a robust information security system. The objective in this Annex 8 is to identify information assets in scope for the management system and it’s accountability. Such organizations should recognize that all assets will need to be managed in an integrated and universal manner. For example
- Human assets: the behaviors, knowledge, and competence of the workforce have a fundamental influence on the performance of the physical assets.
- Financial assets: financial resources are required for infrastructure investments, operation, maintenance and materials;
- Information assets: good quality data and information are essential to develop, optimize and implement the asset management plan.
- Intangible assets: the organization’s reputation and image can have a significant impact on infrastructure investment, operating strategies and associated costs.
A.8.1.1 Inventory of Assets
An organization should identify assets relevant in the lifecycle of information and document their importance. The lifecycle of information should include creation, processing, storage, transmission. deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate. The asset inventory should be accurate, up to date, consistent and aligned with other inventories. For each of the identiﬁed assets, ownership of the asset should be assigned and the classification should be identified. The process of compiling an inventory of assets is an important prerequisite of risk management
A.8.1.2 Ownership of Assets
Individuals, as well as other entities having approved management responsibility for the asset lifecycle, qualify to be assigned as asset owners. A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset lifecycle. The asset owner should:
- ensure that assets are inventoried.
- ensure that assets are appropriately classiﬁed and protected.
- define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies.
- ensure proper handling when the asset is deleted or destroyed..
A.8.1.3 Acceptable use of assets
Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented.
Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization‘s assets associated with information and information processing facilities and resources. They should be responsible for their use of any information processing resources-and of any such use carried out under their responsibility.
A.8.1.4 Return of assets
All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement.
The termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization. In cases where an employee or external party user purchase the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment. In cases where an employee or external party user has knowledge that is important to ongoing operations that information should be documented and transferred to the organization.
A.8.2 Information classiﬁcation
To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
Classiﬁcations and associated protective controls for information should take account of business needs for sharing or restricting information, as well as legal requirements. Owners of information assets should be accountable for their classification. The classification should be included in the organization’s processes, and be consistent and coherent across the organization. An example of an information confidentiality classification scheme could be based on four levels as follows:
a) disclosure causes no harm;
b) disclosure causes minor embarrassment or minor operational inconvenience;
c) disclosure has a significant short term impact on operations or tactical objectives;
d) disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk.
A.8.2.2 Labelling of information
Procedures for information labeling need to cover information and its related assets in physical and electronic formats. The labeling should reflect the classiﬁcation scheme established in 8.2.1. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of media. Classified assets are easier to identify and accordingly to steal by insiders or external attackers.
A.8.2.3 Handling of assets Control:
Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Procedures should be drawn up for handling processing, storing and communicating information consistent with its classification. The following items should be considered:
- access restrictions supporting the protection requirements for each level of classification
- maintenance of a formal record of the authorized recipients of assets
- protection of temporary or permanent copies of information to a level consistent with the protection of the original information
- storage of IT assets in accordance with manufacturers’ specifications;
- clear marking of all copies of media for the attention of the authorized recipient.
A.8.3 Media handling
To prevent unauthorized disclosure, modiﬁcation, removal or destruction of information stored on media.
A.8.3.1 Management of removable
Procedures should be implemented for the management of removable media in accordance with the classiﬁcation scheme adopted by the organization. The following guidelines for the management of removable media should be considered:
- if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable.
- where necessary and practical, authorization should be required for media removed from the organization and a record of such removals should be kept in order to maintain an audit trail.
- all media should be stored in a safe, secure environment, in accordance with manufacturers’ speciﬁcations.
- if data confidentiality or integrity are important considerations. cryptographic techniques should be used to protect data on removable media.
- to mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before becoming unreadable.
- multiple copies of valuable data should be stored on separate media to further reduce the risk of coincidental data damage or loss.
- registration of removable media should be considered to limit the opportunity for data loss.
- removable media drives should only be enabled if there is a business reason for doing so.
- where there is a need muse removable media the transfer of information to such media should be monitored.
Procedures and authorization levels should be documented.
A.8.3.2 Disposal of media
Media should be disposed of securely when no longer required, using formal procedures. The procedures for the secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:
- media containing confidential information should be stored and disposed of securely. e.g. by incineration or shredding. or erasure of data for use by another application within the organization;
- procedures should be in place to identify the items that might require secure disposal;
- it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items;
- many organizations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience;
- disposal of sensitive items should be logged in order to maintain an audit trail.
A.8.3.3 Physical media transfer:
Media containing information should be protected against unauthorized access, misuse or corruption during transportation. The following guidelines should be considered to protect media containing the information being transported:
- reliable transport or couriers should be used
- a list of authorized couriers should be agreed with management.
- procedures to verify the identiﬁcation of couriers should be developed.
- packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers‘ speciﬁcations,
- logs should be kept, identifying the content of the media, the protection applied as well as recording the times of transfer to the transit custodians and receipt at the destination.
- Click here for a full break-down of the ISO 27001 standard