A.8 Asset Management

A.8 Asset Management

Version: 3.0

Valid until: 2025-05-15

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-07-07

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.8 Asset Management.

2022-10-17

2.0Edward RobinsonAdditions/changes as part of the annual review.

Added links to the usage/loan agreement template.
2023-05-19
2.1
Edward Robinson
Additions/changes as part of the periodic review and improvement.

Replaced the links for the usage/loan agreement template and signed loan agreement.

Changes to A.8.1.4 to reflect new MDM possibilities.
2023-10-05
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated broken links for the Record of Processing Activities and Asset Overview.

Added the issuing and return of anDREa-managed devices + link to retention & destruction policy under 8.3.2

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the asset management policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objective of this control is:


  • To identify organisational assets and define appropriate protection responsibilities (A.8.1).

  • To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (A.8.2).

  • To prevent unauthorised disclosure, modification, removal or destruction of information stored on media (A.8.3).

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.8.1 Responsibility for assets

A.8.1.1 Inventory of assets


“Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up an maintained.”*


* According to the Oxford dictionary: asset, an item of property owned by a person or company, regarded as having value and available to meet debts, commitments, or legacies. anDREa, because it also uses many as-a-Service solutions, uses the following definition: asset, an item of property used by anDREa and for which anDREa is accountable or responsible.

All information processing assets used or managed by anDREa are registered in the Record of processing activities


A.8.1.2 Accountability for assets


“Assets maintained in the inventory shall be managed by accountables.”**


**Please be aware that the ISO 27001 norm states A.8.1.2 as Ownership of assets. As anDREa believes that the word ‘owner’ has a different definition in the cloud and with respect to (personal) data, the word ‘owner’ is substituted for ‘accountable’ according to the Responsible, Accountable, Consulted, Informed (RACI)-model. 

The Record of processing activities displays the associated asset accountable. In addition, the roles per employee per asset (either application, portal or physical asset) have been registered in anDREa People - Asset Overview and is at least updated biannually or when a change occurs. Lastly, the Business Manager maintains an inventory list of anDREa-supplied physical assets.


A.8.1.3 Acceptable use of assets


“Rules for acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.”


The acceptable use of assets is defined in A.6.2 Mobile devices and teleworking.

A.8.1.4 Return of assets


“All employees and external party users shall return all of the organisational assets in their possession upon termination of their employment, contract or agreement.”


As described in A.6.2 Mobile devices and teleworking, anDREa internal employees are issued an anDREa-managed device. To loan an anDREa device, a usage/loan agreement must be signed. Upon return, a return receipt must be signed by the receiver. External employees might work with Bring-Your-Own-Device (BYOD). If an employee works with BYOD and employment is terminated, they will be reminded and required to confirm in a ticket the handing in, of any anDREa-related work and safely dispose of local anDREa-related information. Accordingly, permissions will be revoked. The destruction of information is described in A.6.2 Mobile devices and teleworking

A.8.2 Information classification


This policy is described in a separate document: A.8.2 Information classification


A.8.3 Media handling

A.8.3.1 Management of removable media


“Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organisation.”


The use and management of removable media is described in A.6.2 Mobile devices and teleworking.

A.8.3.2 Disposal of media


“Media shall be disposed of securely when no longer required, using formal procedures.”


Disposal of media is described in A.6.2 Mobile devices and teleworking. Upon termination of employment, contract or agreement, the employee is reminded to dispose of any anDREa-related work or information after uploading it to anDREa-managed storage assets in accordance with the Retention & Destruction policy. In addition, the employee is asked to confirm the disposal, which is then registered in the appropriate offboarding ticket. This is done in accordance with A.7 Human resource security.

The Security Officer ensures that: 

  • if anDREa has outsourced the destruction of data carriers, this is done by a supplier of which it has been sufficiently demonstrated that it is suitable for this purpose and a proof of destruction is registered for a destroyed asset.

  • the retrieval and destruction of digital data carriers does not pose an unacceptable risk for the disclosure of information.

  • digital data carriers are stored in a sufficiently secure manner until they are destroyed. It must be clear which assets are going to be destroyed.

  • the digital data carriers that are disposed of and/or destroyed are registered in the Record of processing activities.

  • it is possible that an asset is given to an employee after depreciation or purchase. Information on a company asset is always deleted and the device is reset to the factory settings. The Record of processing activities records how the device was cleaned up and to whom it was given.


A.8.3.3 Physical media transfer


“Media containing information shall be protected against unauthorised access, misuse or corruption during transportation.”


In accordance with A.6.2 Mobile devices and teleworking physical media transfers using USB sticks are prohibited unless there are no cloud alternatives and after approval of the Security Officer. If USB sticks must be used, encryption is highly encouraged.

Administrations