130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Controls (A.8):
  • Control A.8.1.1: Inventory of Assets
  • Control A.8.1.2: Ownership of Assets
  • Control A.8.1.3: Acceptable Use of Assets
  • Control A.8.1.4: Return of Assets
  • Control A.8.2.1: Classification of Information
  • Control A.8.2.2: Labeling of Information
  • Control A.8.2.3: Handling of Assets
  • Control A.8.3.1: Management of Removable Media
  • Control A.8.3.2: Disposal of Media
  • Control A.8.3.3: Physical Media Transfer

Was this helpful?

  1. ISO 27001
  2. ISO 27001 Controls and Domains

4. Asset Management

This category ensures that information assets are identified and appropriately managed and protected. It involves maintaining an inventory of assets, assigning responsibilities, and implementing appropriate protection levels for different types of assets, including information, hardware, software, and documentation.

Controls (A.8):

  • A.8.1.1: Inventory of Assets

  • A.8.1.2: Ownership of Assets

  • A.8.1.3: Acceptable Use of Assets

  • A.8.1.4: Return of Assets

  • A.8.2.1: Classification of Information

  • A.8.2.2: Labeling of Information

  • A.8.2.3: Handling of Assets

  • A.8.3.1: Management of Removable Media

  • A.8.3.2: Disposal of Media

  • A.8.3.3: Physical Media Transfer

Control A.8.1.1: Inventory of Assets

Audit Questions:

  • Is there a documented inventory of all information assets?

  • How is the inventory maintained and updated?

  • Who is responsible for managing the inventory?

Common Non-Conformities (NC):

  • No documented inventory of information assets.

  • Inventory not updated regularly.

  • Lack of assigned responsibility for inventory management.

Control A.8.1.2: Ownership of Assets

Audit Questions:

  • Are asset owners assigned for all information assets?

  • How are responsibilities communicated to asset owners?

Common Non-Conformities (NC):

  • Assets without assigned owners.

  • Asset owners unaware of their responsibilities.

Control A.8.1.3: Acceptable Use of Assets

Audit Questions:

  • Is there an acceptable use policy for information assets?

  • How is this policy communicated and enforced?

Common Non-Conformities (NC):

  • No acceptable use policy.

  • Employees unaware of acceptable use policies.

  • Policy not enforced effectively.

Control A.8.1.4: Return of Assets

Audit Questions:

  • What procedures are in place for ensuring the return of assets upon termination or change of employment?

  • Are there records of assets returned by departing employees?

Common Non-Conformities (NC):

  • Lack of procedures for the return of assets.

  • No records of returned assets.

  • Assets not returned in a timely manner.

Control A.8.2.1: Classification of Information

Audit Questions:

  • Is there a classification scheme for information assets?

  • How is information classified based on sensitivity and criticality?

Common Non-Conformities (NC):

  • No classification scheme in place.

  • Information not classified properly.

Control A.8.2.2: Labeling of Information

Audit Questions:

  • Are information assets labeled according to their classification?

  • How is labeling implemented and monitored?

Common Non-Conformities (NC):

  • Information not labeled according to classification.

  • Inconsistent or missing labels on information assets.

Control A.8.2.3: Handling of Assets

Audit Questions:

  • Are there procedures for handling information assets based on their classification?

  • How are these procedures communicated to employees?

Common Non-Conformities (NC):

  • No documented procedures for handling assets.

  • Employees unaware of handling procedures.

  • Improper handling of classified information.

Control A.8.3.1: Management of Removable Media

Audit Questions:

  • What controls are in place for the use of removable media?

  • How is the use of removable media monitored?

Common Non-Conformities (NC):

  • No controls for the use of removable media.

  • Unmonitored use of removable media.

Control A.8.3.2: Disposal of Media

Audit Questions:

  • Are there procedures for the secure disposal of media?

  • How is the effectiveness of disposal procedures verified?

Common Non-Conformities (NC):

  • No procedures for secure disposal of media.

  • Improper disposal of media leading to data breaches.

Control A.8.3.3: Physical Media Transfer

Audit Questions:

  • Are there procedures for the secure transfer of physical media?

  • How is the transfer of media tracked and recorded?

Common Non-Conformities (NC):

  • No procedures for secure transfer of media.

  • Media transfers not tracked or recorded.

Previous3. Human Resource SecurityNext5. Access Control

Last updated 5 months ago

Was this helpful?