Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Download PDF

Know what you have, where it is and who is responsible for it

 

Asset management is not one of the Cyber Essentials controls, however, it is a fundamental cyber hygiene practice that can help your organisation meet all five of the controls.

Asset management means creating and maintaining accurate information about your assets that enable day-to-day operations and efficient decision making when you need it. Many major security incidents are caused by organisations having assets which they do not realise are still active but are still connected to the network. Effective asset management will help track and control devices as they're introduced into your business. 

Asset management creates the foundation on which to build all of your other security features

The government’s National Cyber Security Centre (NCSC) has comprehensive guidance for organisations on asset management

What is an asset?

An asset is a resource or an item of property that is owned or controlled by a company. Business assets can include information (data), devices or ‘hardware’ used to create, read, store or process data, and programs and apps or ‘software’ that interact with company data. Assets can also include vehicles, people and infrastructure (offices, electricity, air conditioning).  

Within the context of Cyber Essentials, we will focus on information, hardware and software, including cloud services.

Once an organisation has identified its assets, they can then be factored and controlled when identifying risks, threats and vulnerabilities.

 Identify and list all your business assets:

  • Information or data

    • customer details

    • mailing lists

    • billing and payroll

    • reports

    • emails

    • intellectual property etc

  • Hardware

    • laptops and computers

    • thin clients

    • servers

    • mobile phone

    • tablets

    • firewalls

    • routers

  • Software

    • Operating Systems such as Windows, macOS, IOS, Android, Linux 

    • commercial applications and other software programs such as, internet browsers, anti-malware, office applications, accounts packages etc 

    • commercial extensions and plugins for software e.g., to add features to email clients or internet browsers 

    • server software including operating systems, virtualisation software (hypervisors), virtual desktop software, email software, databases etc 

  • Cloud services are located on servers elsewhere and accessed via an internet connection.  They can include:

    • storage and software solutions (SaaS) such as Microsoft 365, Jira, Dropbox, and Gmail

    • development platforms (PaaS) such as Azure Web Apps and Amazon Web Services Lambda

    • IT infrastructure (IaaS) such as Rackspace, Google Compute Engine, or Amazon EC2

 What is an asset register?

An asset register is essentially a document or series of documents that list and describe everything that has value to your company. It also nominates someone to be responsible for protecting the confidentiality, integrity and availability of each item. Despite being time consuming, the activity of making an asset inventory is an important start for implementing cyber security controls. How can you protect something that you don't know about?

Ensure all assets are accounted for by the asset management process. This should include physical, virtual and cloud resources, along with your organisation’s internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates. Comprehensive asset management helps avoid any assets not being configured with the appropriate security controls and is required for compliance and vulnerability scanning (for those certifying to Cyber Essentials Plus).

A comprehensive asset registry is usually an important component to your insurance policy, accounting process or procurement and, as your organisation grows in its cyber security journey, it will inform your risk assessment as well as an incident response plan.

Label your stuff

An asset register should contain some key fields to make the tracking and identification of assets easier. Consider developing a system of unique IDs for each item in the inventory which can save confusion about overlapping technologies or identical multiple items. Asset tags can allow you to label physical devices.

For each asset, your records must include at least:

  • A category name that groups similar asset types

  • Details of location: (Be aware of any assets that are moved around)

Know where it is

Are your assets on a local computer, cloud storage, on social media, a member of staff's computer, a USB stick, a database, or in a filing cabinet? Are they located at home, the main office, or in a storage unit?
If the asset is fixed, record the location.

  • Mobile assets: If the asset is mobile, record who uses it on a day-to-day basis and where it is typically used; mobile assets may be governed more by ownership than location. It may also be possible to track portable assets through the use of mobile device management (MDM) software.

  • An asset importance rating: The relative value and impact of losing the asset can be recorded using protective marking schemes. Common systems to record this include: (high, medium, low), (public, confidential, secret), or (red, amber, green).

  • An asset owner: Having a named owner for each asset ensures that someone is accountable for the activities required to keep it secure. Information asset owners will set the rules around data assets, such as classification, who can access them, and retention period.

Managing legacy

All software and hardware eventually becomes out of date. Continuing to use products beyond that point involves increased risk, or increased costs to mitigate those risks. Cyber Essentials certification requires organisations to use software that is licensed and supported, so understanding when your assets become end of life or unsupported is crucial to organisations seeking to certify or re-certify to Cyber Essentials. Asset management can help organisations identify when systems will reach end of support and plan ahead.

The use of Bring your Own Devices ( BYOD)

If your organisation allows staff to use personal devices such as mobile phones for business purposes, those devices will need to be approved and tracked, but as they are not owned by the organisation, they will not be included in the asset register.

Removal of assets

Assets removed from your business estate must be removed from the asset register and disposed of securely.

Review your asset register

Once you have created your asset register, you need to ensure that you keep the information up to date and review it at least annually. When you buy new equipment, be sure to log it in the asset register, and when you move something or discard it, update your list. Your asset list is only as valuable as the care and detail you put into accounting and documenting each asset. It is worth being meticulous, as an asset register gives you the visibility and awareness for many of your other practises and requirements.

© The IASME Consortium Ltd 2025 All rights reserved.

  • No labels