ISO27001:2022 - Annex A 5.9 - What’s changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.9 is Inventory of Information and Other Associated Assets.

What is an asset register and why is this important?

Creating a register of all your organisation’s assets is crucial for its management, even outside of information security. In the context of information security, ensuring your assets are documented and classified based on their criticality and sensitivity is the first step in making sure you have the correct measures in place to safeguard your data and processes. You should be creating an inventory of not only your information assets, but also your physical assets and systems. This can help you to understand what assets you possess, their value to your organisation, and any potential risks associated with them.

An asset register should be constructed by identifying all your assets, ranging from physical devices such as servers and laptops, to intangible assets like customer data and intellectual property. These assets should be categorised based on its type, assigned an asset owner, and have its criticality assessed. Other attributes should be documented such as, but not limited to, a description of the item, its business purpose, and when it was acquired and last reviewed.

Established asset registers should then be reviewed regularly and updated to reflect any changes in your organisation’s situation, such as recording new assets, decommissioned assets and systems, and changes in asset ownership. Keeping your asset registers up-to-date can help you to inform your risk management strategies to ensure they remain effective as your risk landscape changes.

What is Annex A 5.9?

Annex A 5.9 is all about inventory of information and other associated assets and as the title suggests, expects your organisation to record its information assets and any other associated assets in dedicated registers. These assets should be categorised based on their type, have assigned asset owners, and be linked to mitigating controls. In this way, the control aims to safeguard assets and information by making sure your organisation has assessed what it owns, and how important these assets are to your operations.

Registers should be kept up-to-date, accurate, and consistent with other inventories. These should be regularly reviewed and adjusted whenever changes occur within your organisation. This is especially important for risk management purposes to ensure that all your assets have appropriate controls in place to prevent disaster - This is difficult to do if some assets aren’t recorded or their information is out-of-date!

Creating an asset register is crucial for your own organisation’s benefit and for its compliance with multiple standards. One such example of this requirement features in the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. Keeping inventory of your assets is one of the requirements as stated in evidence 1.1.2, which requires keeping information assets documented in an up-to-date and regularly reviewed register. This also overlaps with evidence 1.1.4, which additionally requires hardware and software assets to be identified, documented, classified, and approved.

So what’s changed?

ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control. In terms of the 2013 standard, this control is a merging of Annex A 8.1.1, inventory of assets, and Annex A  8.1.2, ownership of assets.

As with all other controls, with the introduction of the 2022 version of the standard the requirements have been consolidated and broadened to create a more user-friendly experience with its implementation.

For example, when looking at the ownership of assets the old guidelines state that for each asset the asset owner should be:

• Inventorying all assets.
• Classifying and protecting assets in a way suitable to this classification.
• Access restrictions and classifications for assets should be defined and reviewed with respect to your organisation’s established access control policies.
• Deleting and destroying assets with appropriate measures when required.

The new guidelines for ownership of assets are increased to nine and expect asset owners to:

• Take inventory of information and other associated assets.
• Classify and protect assets in a way suitable to this classification.
• Review the classification of assets regularly.
• Ensure technology assets have their linked components listed, such as databases, storage systems, and software.
• Define requirements for acceptable use of assets.
• Put in place appropriate access restrictions for the asset’s classification. These measures should be reviewed regularly to ensure they remain effective.
• Handle deleted and destroyed assets securely and remove them from the inventory.
• Assist in identifying, mitigating, and reviewing risks tied to their assets.
• Provide support to employees with roles and responsibilities tied to the information they manage.

How Harpe can help you implement Annex A 5.9

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Harpe features a comprehensive register to keep track of your assets - physical assets, information assets, and systems. We provide all the fields you need to stay compliant with the latest security standards, and make recording your assets easy.

Enable automations to tell you when assets are due for review, and link this to your organisation’s Jira board to make sure important ISMS tasks are completed with a full audit trail!

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍

_{Image designed by Freepik}