Asset Register - ISO27001.zip

# Asset Register ## Workshop to Produce an Asset Register for an SME *I originally contributed this workshop to the iso27001security forum's ISMS handbook for SME's. It was contributed to them wholly and so belongs to the forum.* An asset register is an up to date and maintained account of everything you deem useful, that you also own or are in control of. It's incredibly vital because understanding the different parts that make up an organisation is akin to understanding the shape and perimeter of the organisation (What is this thing actually made of?). When we sit down to protect our organisation, it's obvious that we can't protect what we can't 'see', and so it's vital that we feel comfortable identifying different types of assets (even if we're a micro and our Asset Register is a laptop and a smartphone!). Assets aren't always physical, and larger organisations keep 'Information Asset Registers' that account for the non-physical and information focused assets that make up their business; these can be as concrete as the financial records of the organisation, or as immaterial as the brand identity of the organisation. In this sense, we are again ensuring we understand what the surface of our organisation is made up of so that we can make informed decisions about what controls will serve us best. Starting at your desk and zooming out to produce your first Asset Register Use post-it notes, mind maps, or a pen and paper drawing if it helps you visualise as you follow the following prompts to bring your first asset register into being: 1. Try to visualise your organisation as a machine, try to point at all the different parts and understand how they work. Start with what you use every day at your workspace - your laptop, your phone, your book of notes, your internet router. What helps you work every day? 2. Zoom out to your premises: Your building, your car, apparatus or infrastructure for work. As we zoom out, keep track of all these non-human components that come together to build the organisation. 3. Now let's zoom out even further and make visible the relationships between the organisation and other parties, and of records or accounts that 'prove' work or wealth. These can be in the cloud or stored in the organisation. Here are some examples:Contracts, Strategic data about research and development, Any databases that have information about the organisation or it's clients in them, Software 4. Lastly, let's think about the real talent that exercises all these assets - you and your team! Your knowledge, acumen, and experience are all intangible information assets that lubricate this machine to work well over time. Now we’ve zoomed out, if we can capture everything in this mental machine we’ve made, we’ll have an asset register. ![[SME-Asset-Register-ZoomOut-Workshop.jpeg]] ### Building an Asset Register While there are more creative options available, the easiest option for actually building an asset register once the exercise is complete is to place your findings inside a spreadsheet. Remember that this needs effective version control, and needs to be tended to to ensure it's an accurate representation of the organisation's assets over time.