Question: How many flavors of crazy do you need to be to get involved in ISO 27001?
Answer: Zero flavors, because ISO 27001 is officially a good thing. ISO 27001 is nature’s way of saying, “Man, this business has got information security assets down tight, so buy stuff from it.”
ISO 27001 Is an Easy Way to Impress
Grabbing hold of some sweet, sweet ISO 27001 certification shows every potential customer that you’re deadly serious about their information security. This means you’ll:
- Gain business credibility and competitive advantage when you’re tendering for juicy contracts. Your days of sending baskets of cookies and begging them to pick you are over.
- Play in the Serious Dollars playground. Many high-value contracts demand ISO 27001 as a pre-qualifier. Monay, monay, monay, baby.
- Fix your information security weak spots before any expensive, embarrassing things happen.
- Steer clear of reputation-busting security breaches and data-tastrophes.
- Be audit-ready 24/7.
- Sleep more than 3 hours a night because you’re finally managing all the risks the right way.
Ok, Sounds Good, But Isn’t It Hard Work?
Look, anything worth doing ain’t easy. Crack open Annex A of ISO 27001 and you’ll find 14 security domains containing 35 security categories and 114 individual controls.
Yup, 114 controls.
Pin that number on a sticky note on your bathroom mirror, right next to your morning affirmations. These controls are your safeguards and guideposts. You will learn to love them almost as much as your kids, but at first, it’s daunting. Where do you even start?
Welcome to Your Information Security Asset Inventory
Your asset inventory is your new best friend. It won’t make you a friendship bracelet, but it will help you comply with a core section of ISO 27001, the infamous Annex 8, and the Asset Management domain. The Asset Management domain is a biggie and requires that you identify your information security assets and assign appropriate responsibilities for protecting them.
Sounds fancy and important, right? Well, it is.
What’s in My Inventory?
Gorgeous things, darling. If you’re using Mobile Device Management (and why would you not be?) your MDM dashboard is pretty much an IT asset inventory. It’s a single source of truth that contains a ton of information such as:
- The devices in your fleet, where they are, what they’re doing, and who is the “owner” or last user.
- Serial numbers, age, RAM, and OS versions.
- What is encrypted and what isn’t.
- Whether recovery keys are present or AWOL.
And loads more. This style of asset inventory gives you at-a-glance visibility into your entire fleet, no matter where each device is located or who is using it. It’s an information goldmine, drooled over by auditors, Chief Operating Officers, and Chief Financial Officers alike.
How Does an Asset Inventory Get Cozy With ISO 27001 Annex 8?
We thought you’d never ask. Buckle up, because a ton of numbers are about to happen and it might be a bit of a snoozefest. Drink some coffee and know it’ll be over soon.
Just by keeping it up to date, your IT asset inventory complies (and can demonstrate compliance) with many of the asset management controls, including:
- Inventory and maintenance of assets (8.1.1.): Your MDM system should be able to generate an up-to-date inventory of devices used for your business for you (or your auditor) to review whenever necessary. It’ll be accurate, consistent, and up-to-date, just as the control specifies. Phew.
- Ownership of assets (8.1.2): This is more about asset management responsibility than ownership. Your asset inventory is a tool that allows your responsible officer to carry out ownership duties. With a competent asset inventory, they should be able to easily review and change access restrictions, and flag out-of-compliance conditions. All from the comfort of their sofa. Cool, right?
- Acceptable use of assets (8.1.3): Your asset inventory should allow you to implement your acceptable use policy. If your company’s acceptable use policy says, “No Minesweeper, ever ever ever,” then your inventory will search the entire fleet and flag up the devices containing the evil therein.
- Return of assets (8.1.4): Your asset inventory allows you to demonstrate that changes are dealt with appropriately when a device is returned to you or no longer used for business. For example, when you need to let Diane go because of that unfortunate Zoom incident, the asset inventory should correctly reflect that Diane is no longer the user; her former computer is now in your spare inventory, ready for redeployment.
Two for One Bonus Alert! As your device inventory, your asset inventory also demonstrates your compliance with the Management of Technical Vulnerabilities control (12.6.1) of the standard’s Clause 12, Operations Security. Whoop!
Managing Your Information Security Assets Brings ISO 27001 a Whole Lot Closer
If you’ve been bitten by the ISO 27001 bug, we need you to know that we’re terribly clever at creating customized inventories for information security assets that make ISO 27001 auditors weep happy tears (we have video proof). So, give us a call because we’d be delighted to be your best pal on your ISO adventure.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!