ISO 27001 Control 5.10 Acceptable Use of Information and Other Associated Assets

Developing and Maintaining an Inventory of Information and Associated Assets

Maintaining an accurate and comprehensive inventory of information and associated assets is crucial for safeguarding an organisation’s security and operational efficiency. A well-managed inventory supports risk management, compliance, and effective decision-making by ensuring clear ownership and accountability. Enter ISO 27001 Control 5.10 Acceptable Use of Information and Other Associated Assets as the guidance on how to approach this issue.

Return to Organisational Controls Overview

Get the ISO 27002 Official Guidance on Controls

Purpose of an Asset Inventory

The primary goals of an inventory system are to:

Identify and document critical organisational assets.
Safeguard these assets by applying appropriate security measures.
Assign and enforce ownership responsibilities to maintain accountability.

Essential Guidelines for Asset Inventory Management

1. Identifying and Documenting Assets

Organisations should:

Identify all assets crucial to operations, including information assets, hardware, software, and physical infrastructure.
Maintain documentation of these assets in a centralised or distributed inventory system.

Examples of asset types include:

Information assets: Data, reports, and documents.
Hardware: Servers, laptops, mobile devices.
Software: Applications, licenses, and virtual machines (VMs).
Facilities: Buildings, power supplies, and cooling systems.
Personnel: Skills, roles, and records.

2. Ensuring Inventory Accuracy and Consistency

To maintain reliability:

Conduct regular audits to validate asset information.
Automate updates during asset installation, modification, or decommissioning.
Record asset locations where appropriate.

A dynamic approach using sub-inventories for different asset categories ensures specialised management and detailed oversight.

3. Asset Classification

Assets should be categorised based on:

Sensitivity: Align classifications with confidentiality, integrity, and availability requirements.
Relevance: Regularly review and update classifications to reflect organisational and environmental changes.

Ownership and Accountability in Asset Management

1. Assigning Ownership

Ownership must be designated when assets are created, acquired, or transferred. Clear ownership ensures:

Effective lifecycle management.
Accountability for asset security and compliance.

Timely reassignment of ownership is essential when personnel transition roles or leave the organisation.

2. Responsibilities of Asset Owners

Owners are responsible for:

Keeping inventories up to date.
Ensuring accurate asset classification and protection.
Overseeing associated components, such as databases and software.
Establishing acceptable use guidelines for assigned assets.
Managing access controls and ensuring periodic reviews.
Handling secure disposal of assets and updating the inventory accordingly.
Identifying and mitigating risks associated with their assets.
Providing necessary guidance to personnel managing these assets.

Integrating Asset Inventories into Organisational Processes

1. Supporting Security and Compliance

An accurate inventory enables:

Effective risk management by identifying vulnerabilities.
Smooth audits and regulatory compliance.
Improved incident response and recovery through visibility into asset dependencies.

2. Delegating Tasks Without Losing Accountability

Tasks such as maintenance or monitoring can be delegated to custodians, but ultimate accountability remains with the designated asset owner.

3. Grouping Assets for Service Delivery

Where multiple assets support a single service, group them under the responsibility of the service owner, ensuring seamless performance and security.

Leveraging Standards for Enhanced Asset Management

Organisations can benefit from international standards, including:

ISO/IEC 19770-1: Focuses on IT asset management.
ISO 55001: Provides additional insights into overall asset management.

FAQs

What is the goal of Control 5.10 in ISO 27001?

This control ensures that employees, contractors, and third parties understand and follow the rules for how to use information, systems, and other company assets responsibly and securely.

What is considered an “associated asset”?

Associated assets include:

– Laptops, mobile phones, USB drives
– Software and email systems
– Network resources
– Data and documents
– Internet and cloud-based tools

Anything used to create, process, store, or transmit information falls under this.

What should an acceptable use policy include?

A good policy typically covers:

– Permitted and prohibited uses (e.g., no personal software installations)
– Rules for internet, email, and social media use
– Guidance on protecting data and devices
– Consequences for policy violations
– Reporting of lost devices or suspected misuse

Who needs to follow the acceptable use policy?

Everyone who uses your organization’s information or IT assets, including:

– Full-time employees
– Contractors and consultants
– Temporary workers
– Third-party service providers (where applicable)

Why is this control important for security and compliance?

Clear acceptable use rules help:

– Reduce the risk of accidental data leaks or malware infections
– Support legal and regulatory compliance
– Ensure everyone understands their responsibility in protecting information
– It builds a security-aware culture across the organization.

Conclusion

An effective inventory system is indispensable for maintaining organisational security, operational efficiency, and regulatory compliance. By implementing ISO 27001 control 5.10 and identifying assets, assigning ownership, and integrating inventory management into broader organisational processes, businesses can ensure the resilience and protection of their critical resources.