Responsibility for assets
The objective of this category is to achieve and maintain
appropriate protection of organizational assets.
Inventory of assets • All significants
asset should be clearly identified and accounted for in an
inventory listing, and have assigned owners (contollers) who are
responsible for their appropriate protection. Control
includes listings of:
- type of asset, including specification of make/model/format,
creation/manufacture date and any other information necessary
to specify type;
- assigned owner;
- location (logical or physical location, range of physical
locations if portable);
- backup information (if appropriate);
- license information (if appropriate);
- business value, security classification and level of protection;
- any additional data necessary to allow recovery from a
disaster or otherwise assure continuity
Asset types subject to this control may include, depending
on organizational requirements:
- information in databases or data files, systems documentation,
contracts or agreements, research information, user
manuals, training materials, operational or support procedures;
- software assets, including application and system software,
development tools and utilities;
- physical assets, including computer and communications
equipment, fixed location and removable storage media;
- services, including general utilities like HVAC, lighting
and power supply;
- people, including their qualifications and experience;
- intangibles, such as reputation and image of the organization.
Authorities: ISO-27002:2005 7.1.1.
Ownership of assets • All information
and assets associated with information processing facilities should
be "owned" by a designated part of the organization.
- asset owner responsibilities for ensuring appropriate
classification of and information on each owned asset; and
- definition and periodic review of access restrictions
and other controls associated with the asset.
Authorities: ISO-27002:2005 7.1.2.
Acceptable use of assets • Rules
for the acceptable use of information and other assets associated
with information processing facilities should be identified,
documented and implemented. Control includes:
- guidelines/rules for use of services (e.g., email,
- guidelines/rules for use of on-site systems and devices;
- guidelines/rules for mobile devices and non-mobile devices
used off-site; and
- asset users' awareness of these guidelines/rules, including
an appropriate educational program.
Authorities: ISO-27002:2005 7.1.3.
Control objective: To ensure that information
receives an appropriate level of protection.
Classification guidelines • Information
and information processing facilities should be classified
in terms of value and criticality to the organization, sensitivity
and legal requirements. Control includes:
- assigning responsibility for the asset owner or other
appropriate party to make this classification;
- periodic review to ensure that classifications
appropriately reflect business needs, legal-regulatory-certificatory
requirements and balance confidentiality-integrity-availability
concerns again other goals.
Authorities: ISO-27002:2005 7.2.1.
Information labelling and handling •
An appropriate set of procedures for information labelling
and handling should be developed by each information owner,
and implemented in accordance with the classification scheme(s)
adopted by the organization. Control includes:
- classifications that cover information in all forms and
- procedures for chain of custody;
- procedures for logging and reporting relevant
security incidents and events.
Authorities: ISO-27002:2005 7.2.2.