Controls (A.8):
A.8.1.1: Inventory of Assets
A.8.1.2: Ownership of Assets
A.8.1.3: Acceptable Use of Assets
A.8.1.4: Return of Assets
A.8.2.1: Classification of Information
A.8.2.2: Labeling of Information
A.8.2.3: Handling of Assets
A.8.3.1: Management of Removable Media
A.8.3.2: Disposal of Media
A.8.3.3: Physical Media Transfer
Control A.8.1.1: Inventory of Assets
Audit Questions:
Is there a documented inventory of all information assets?
How is the inventory maintained and updated?
Who is responsible for managing the inventory?
Common Non-Conformities (NC):
No documented inventory of information assets.
Inventory not updated regularly.
Lack of assigned responsibility for inventory management.
Control A.8.1.2: Ownership of Assets
Audit Questions:
Are asset owners assigned for all information assets?
How are responsibilities communicated to asset owners?
Common Non-Conformities (NC):
Assets without assigned owners.
Asset owners unaware of their responsibilities.
Control A.8.1.3: Acceptable Use of Assets
Audit Questions:
Is there an acceptable use policy for information assets?
How is this policy communicated and enforced?
Common Non-Conformities (NC):
No acceptable use policy.
Employees unaware of acceptable use policies.
Policy not enforced effectively.
Control A.8.1.4: Return of Assets
Audit Questions:
What procedures are in place for ensuring the return of assets upon termination or change of employment?
Are there records of assets returned by departing employees?
Common Non-Conformities (NC):
Lack of procedures for the return of assets.
No records of returned assets.
Assets not returned in a timely manner.
Audit Questions:
Is there a classification scheme for information assets?
How is information classified based on sensitivity and criticality?
Common Non-Conformities (NC):
No classification scheme in place.
Information not classified properly.
Audit Questions:
Are information assets labeled according to their classification?
How is labeling implemented and monitored?
Common Non-Conformities (NC):
Information not labeled according to classification.
Inconsistent or missing labels on information assets.
Control A.8.2.3: Handling of Assets
Audit Questions:
Are there procedures for handling information assets based on their classification?
How are these procedures communicated to employees?
Common Non-Conformities (NC):
No documented procedures for handling assets.
Employees unaware of handling procedures.
Improper handling of classified information.
Audit Questions:
What controls are in place for the use of removable media?
How is the use of removable media monitored?
Common Non-Conformities (NC):
No controls for the use of removable media.
Unmonitored use of removable media.
Audit Questions:
Are there procedures for the secure disposal of media?
How is the effectiveness of disposal procedures verified?
Common Non-Conformities (NC):
No procedures for secure disposal of media.
Improper disposal of media leading to data breaches.
Audit Questions:
Are there procedures for the secure transfer of physical media?
How is the transfer of media tracked and recorded?
Common Non-Conformities (NC):
No procedures for secure transfer of media.
Media transfers not tracked or recorded.
