4. Asset Management
This category ensures that information assets are identified and appropriately managed and protected. It involves maintaining an inventory of assets, assigning responsibilities, and implementing appropriate protection levels for different types of assets, including information, hardware, software, and documentation.
Controls (A.8):
A.8.1.1: Inventory of Assets
A.8.1.2: Ownership of Assets
A.8.1.3: Acceptable Use of Assets
A.8.1.4: Return of Assets
A.8.2.1: Classification of Information
A.8.2.2: Labeling of Information
A.8.2.3: Handling of Assets
A.8.3.1: Management of Removable Media
A.8.3.2: Disposal of Media
A.8.3.3: Physical Media Transfer
Control A.8.1.1: Inventory of Assets
Audit Questions:
Is there a documented inventory of all information assets?
How is the inventory maintained and updated?
Who is responsible for managing the inventory?
Common Non-Conformities (NC):
No documented inventory of information assets.
Inventory not updated regularly.
Lack of assigned responsibility for inventory management.
Control A.8.1.2: Ownership of Assets
Audit Questions:
Are asset owners assigned for all information assets?
How are responsibilities communicated to asset owners?
Common Non-Conformities (NC):
Assets without assigned owners.
Asset owners unaware of their responsibilities.
Control A.8.1.3: Acceptable Use of Assets
Audit Questions:
Is there an acceptable use policy for information assets?
How is this policy communicated and enforced?
Common Non-Conformities (NC):
No acceptable use policy.
Employees unaware of acceptable use policies.
Policy not enforced effectively.
Control A.8.1.4: Return of Assets
Audit Questions:
What procedures are in place for ensuring the return of assets upon termination or change of employment?
Are there records of assets returned by departing employees?
Common Non-Conformities (NC):
Lack of procedures for the return of assets.
No records of returned assets.
Assets not returned in a timely manner.
Control A.8.2.1: Classification of Information
Audit Questions:
Is there a classification scheme for information assets?
How is information classified based on sensitivity and criticality?
Common Non-Conformities (NC):
No classification scheme in place.
Information not classified properly.
Control A.8.2.2: Labeling of Information
Audit Questions:
Are information assets labeled according to their classification?
How is labeling implemented and monitored?
Common Non-Conformities (NC):
Information not labeled according to classification.
Inconsistent or missing labels on information assets.
Control A.8.2.3: Handling of Assets
Audit Questions:
Are there procedures for handling information assets based on their classification?
How are these procedures communicated to employees?
Common Non-Conformities (NC):
No documented procedures for handling assets.
Employees unaware of handling procedures.
Improper handling of classified information.
Control A.8.3.1: Management of Removable Media
Audit Questions:
What controls are in place for the use of removable media?
How is the use of removable media monitored?
Common Non-Conformities (NC):
No controls for the use of removable media.
Unmonitored use of removable media.
Control A.8.3.2: Disposal of Media
Audit Questions:
Are there procedures for the secure disposal of media?
How is the effectiveness of disposal procedures verified?
Common Non-Conformities (NC):
No procedures for secure disposal of media.
Improper disposal of media leading to data breaches.
Control A.8.3.3: Physical Media Transfer
Audit Questions:
Are there procedures for the secure transfer of physical media?
How is the transfer of media tracked and recorded?
Common Non-Conformities (NC):
No procedures for secure transfer of media.
Media transfers not tracked or recorded.
Last updated