Version: 3.0
Valid until: 2025-05-15
Classification: Low
2.1 | Edward Robinson | Additions/changes as part of the periodic review and improvement. Replaced the links for the usage/loan agreement template and signed loan agreement. Changes to A.8.1.4 to reflect new MDM possibilities. | 2023-10-05 |
3.0 | Edward Robinson | Additions/changes as part of the annual review. Updated broken links for the Record of Processing Activities and Asset Overview. Added the issuing and return of anDREa-managed devices + link to retention & destruction policy under 8.3.2 |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the asset management policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objective of this control is:
To identify organisational assets and define appropriate protection responsibilities (A.8.1).
To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (A.8.2).
To prevent unauthorised disclosure, modification, removal or destruction of information stored on media (A.8.3).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
All information processing assets used or managed by anDREa are registered in the Record of processing activities.
The Record of processing activities displays the associated asset accountable. In addition, the roles per employee per asset (either application, portal or physical asset) have been registered in anDREa People - Asset Overview and is at least updated biannually or when a change occurs. Lastly, the Business Manager maintains an inventory list of anDREa-supplied physical assets.
This policy is described in a separate document: A.8.2 Information classification.
The Security Officer ensures that:
if anDREa has outsourced the destruction of data carriers, this is done by a supplier of which it has been sufficiently demonstrated that it is suitable for this purpose and a proof of destruction is registered for a destroyed asset.
the retrieval and destruction of digital data carriers does not pose an unacceptable risk for the disclosure of information.
digital data carriers are stored in a sufficiently secure manner until they are destroyed. It must be clear which assets are going to be destroyed.
the digital data carriers that are disposed of and/or destroyed are registered in the Record of processing activities.
it is possible that an asset is given to an employee after depreciation or purchase. Information on a company asset is always deleted and the device is reset to the factory settings. The Record of processing activities records how the device was cleaned up and to whom it was given.
Record of processing activities for information processing assets and accountables (authorised personnel only).
anDREa People - Asset Overview for an overview of the roles per employee per asset (authorised personnel only).
Relevant Zoho tickets regarding disposal media and destruction of information after termination of employment, contract or agreement.
Receipt of return (of issued assets).