Guidance

A3. Asset management

Created:  28 Jan 2018
Updated:  28 Jan 2018

Principle

Everything required to deliver, maintain or support networks and information systems for essential services is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

Description

In order to manage security risks to the network and information systems of essential services, organisations require a clear understanding of service dependencies. This understanding might include physical assets, software, data, essential staff and utilities. These should all be clearly identified and recorded so that it is possible to understand what things are important to the delivery of the essential service and why.

Guidance

Whichever risk management method your organisation uses, asset management will play a key role as you cannot effectively manage risks without understanding what assets are part of the essential service.  Your asset management regime should consider all relevant assets, and dependencies between them.  Dependencies may be identified between assets under your organisation's control (including IT and OT domains), elements of the supply chain (including power), and key staff who are critical to operations.  Assets in an operational technology environment may need a more tailored approach than the corporate IT assets.

For asset management to be effective, up to date knowledge of your assets must be maintained throughout their lifecycle.

ISO 27001/2

Asset management is part of an ISO 27001 ISMS, but management of critical assets may require a tailored approach

An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential services.

If your organisation is using an ISMS as a tool for compliance with the NIS Directive, you must ensure the scope includes all systems relevant to the operation of essential services.  Asset management is a key part of an ISMS, although critical services may need more attention than the minimum requirements of the standard. Further guidance is detailed in ISO 27002.

ISO 55001 - Asset Management

This standard aligns with ISO 27001 and can be used in conjunction with it or independent of it.  It outlines requirements for a generic asset management system.  An organisation following this standard as a tool for NIS compliance must ensure the scope encompasses critical systems.  Section 4.2 covers needs and expectations of stakeholders, which must include any requirements from competent authorities.

ITIL

ITIL best practice recommends a staged approach to IT asset management. You may find this useful for improving management of your IT assets, but must keep in mind that there may be assets and dependencies beyond the corporate IT domain as outlined above.

 

References

ISO 27001/2

ISO 55001 - Asset Management

ITIL

 

< Back to Principle A2                   Forward to Principle A4>

Was this guidance helpful?

We need your feedback to improve this content.

Yes No