ISO 27001 controls: What is Annex A:8?

What is Annex A:8?

The A:8 clause of Annex A in ISO 27001 focuses on managing your business’s assets. It outlines a set of valuable requirements that any business must meet to maintain a robust information security system. The objective of Annex A:8 is to identify information assets within the management system’s scope and ensure accountability. Organisations should recognise that all assets need to be managed in an integrated and universal manner. For example:

• Human assets: The behaviours, knowledge, and competence of the workforce fundamentally influence the performance of physical assets.
• Financial assets: Financial resources are required for infrastructure investments, operation, maintenance, and materials.
• Information assets: Good quality data and information are essential to developing, optimising, and implementing the asset management plan.
• Intangible assets: The organisation’s reputation and image can significantly impact infrastructure investment, operating strategies, and associated costs.

A.8.1.1 Inventory of assets

An organisation should identify assets relevant to the lifecycle of information and document their importance. The lifecycle of information includes creation, processing, storage, transmission, deletion, and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate. The asset inventory should be accurate, up to date, consistent, and aligned with other inventories. For each identified asset, ownership should be assigned and the classification identified. Compiling an inventory of assets is a crucial prerequisite for risk management.

A.8.1.2 Ownership of assets

Individuals or entities with approved management responsibility for the asset lifecycle qualify to be assigned as asset owners. A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or transferred to the organisation. The asset owner should be responsible for the proper management of an asset throughout its lifecycle. The asset owner should:

• Ensure that assets are inventoried.
• Ensure that assets are appropriately classified and protected.
• Define and periodically review access restrictions and classifications for important assets, taking into account applicable access control policies.
• Ensure proper handling when the asset is deleted or destroyed.

A.8.1.3 Acceptable use of assets

Rules for the acceptable use of information and assets associated with information and information processing facilities should be identified, documented, and implemented.

Employees and external party users who use or have access to the organisation’s assets should be made aware of the information security requirements. They should be responsible for their use of any information processing resources and any such use carried out under their responsibility.

A.8.1.4 Return of assets

All employees and external party users should return all organisational assets in their possession upon termination of their employment, contract, or agreement.

The termination process should be formalised to include the return of all previously issued physical and electronic assets owned by or entrusted to the organisation. In cases where an employee or external party user purchases the organisation’s equipment or uses their own personal equipment, procedures should ensure all relevant information is transferred to the organisation and securely erased from the equipment. Important knowledge for ongoing operations should be documented and transferred to the organisation.

A.8.2 Information classification

To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.

Classifications and associated protective controls for information should consider business needs for sharing or restricting information, as well as legal requirements. Owners of information assets should be accountable for their classification. The classification should be included in the organisation’s processes, consistent and coherent across the organisation. An example of an information confidentiality classification scheme could be based on four levels:

a) Disclosure causes no harm. b) Disclosure causes minor embarrassment or minor operational inconvenience. c) Disclosure has a significant short-term impact on operations or tactical objectives. d) Disclosure has a serious impact on long-term strategic objectives or puts the organisation’s survival at risk.

A.8.2.2 Labelling of information

Procedures for information labelling need to cover information and its related assets in physical and electronic formats. The labelling should reflect the classification scheme established in A.8.2.1. The labels should be easily recognisable. Procedures should provide guidance on where and how labels are attached, considering how the information is accessed or the assets are handled depending on the types of media. Classified assets are easier to identify and accordingly, to steal by insiders or external attackers.

A.8.2.3 Handling of assets control

Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organisation.

Procedures should be drawn up for handling, processing, storing, and communicating information consistent with its classification. The following items should be considered:

• Access restrictions supporting the protection requirements for each level of classification.
• Maintenance of a formal record of the authorised recipients of assets.
• Protection of temporary or permanent copies of information to a level consistent with the protection of the original information.
• Storage of IT assets in accordance with manufacturers’ specifications.
• Clear marking of all copies of media for the attention of the authorised recipient.

A.8.3 Media handling

To prevent unauthorised disclosure, modification, removal, or destruction of information stored on media.

A.8.3.1 Management of removable media

Procedures should be implemented for managing removable media in accordance with the classification scheme adopted by the organisation. The following guidelines should be considered:

• If no longer required, the contents of any reusable media to be removed from the organisation should be made unrecoverable.
• Where necessary and practical, authorisation should be required for media removed from the organisation, and a record of such removals should be kept to maintain an audit trail.
• All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.
• If data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect data on removable media.
• To mitigate the risk of media degrading while stored, data should be transferred to fresh media before becoming unreadable.
• Multiple copies of valuable data should be stored on separate media to reduce the risk of coincidental data damage or loss.
• Registration of removable media should be considered to limit the opportunity for data loss.
• Removable media drives should only be enabled if there is a business reason for doing so.
• Where there is a need to use removable media, the transfer of information to such media should be monitored.
• Procedures and authorisation levels should be documented.

A.8.3.2 Disposal of media

Media should be disposed of securely when no longer required, using formal procedures. The procedures for the secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:

• Media containing confidential information should be stored and disposed of securely, e.g., by incineration or shredding, or erasure of data for use by another application within the organisation.
• Procedures should be in place to identify items that might require secure disposal.
• It may be easier to arrange for all media items to be collected and disposed of securely rather than separating out sensitive items.
• Many organisations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience.
• Disposal of sensitive items should be logged to maintain an audit trail.

A.8.3.3 Physical media transfer

Media containing information should be protected against unauthorised access, misuse, or corruption during transportation. The following guidelines should be considered to protect media containing information being transported:

• Reliable transport or couriers should be used.
• A list of authorised couriers should be agreed with management.
• Procedures to verify the identification of couriers should be developed.
• Packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications.
• Logs should be kept, identifying the content of the media, the protection applied, as well as recording the times of transfer to the transit custodians and receipt at the destination.

For more guidance and support on achieving ISO 27001 certification and understanding Annex A:8, contact Citation Certification today. We provide comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.