Asset Management Policy
Document Version: 1.0
Last Updated: July 19, 2025
Compliance Framework: ISO/IEC 27001:2022 – Clauses 5.9, 7.5, A.5, A.8
1. Purpose
This policy establishes the requirements for identifying, managing, and protecting organizational assets—including physical, digital, cloud-based, and SaaS assets—to ensure confidentiality, integrity, and availability of information as required by ISO/IEC 27001.
2. Scope
This policy applies to:
- All information assets owned or managed by the organization.
- Employees, contractors, and third parties handling company assets.
- Assets hosted on-premises, in the cloud (IaaS/PaaS), or via SaaS providers.
3. Asset Inventory & Classification
3.1 Asset Identification
- All assets shall be inventoried and uniquely identified (e.g., using asset ID).
- The asset inventory shall include:
- Hardware (servers, laptops, mobile devices)
- Software (applications, operating systems)
- Information (databases, documents, source code)
- Virtual/cloud resources (VMs, containers, buckets, databases)
- SaaS platforms (CRM, ticketing systems, storage)
3.2 Asset Ownership
- Each asset shall have a clearly assigned owner responsible for its lifecycle, classification, and protection.
3.3 Asset Classification
- Information assets shall be classified based on sensitivity and business value:
- Confidential (e.g., PII, credentials)
- Internal (e.g., internal reports)
- Public (e.g., marketing materials)
4. Cloud & SaaS-Specific Controls
4.1 Cloud Assets
- All cloud resources must be registered in the central asset inventory.
- Use of cloud services (e.g., AWS, Azure, GCP) must follow company-approved configurations (e.g., tagging, encryption, access control).
4.2 SaaS Applications
- All SaaS subscriptions must be approved and inventoried.
- Security posture of each SaaS vendor must be assessed before onboarding (e.g., via vendor risk assessment).
- Access to SaaS tools must be integrated with enterprise IAM solutions (e.g., SSO, MFA).
5. Acceptable Use & Handling
- Asset users must follow the Acceptable Use Policy.
- Sensitive data must not be stored or transmitted on unauthorized or unprotected systems (e.g., unapproved SaaS tools).
- Portable devices must use encryption and remote wipe capabilities.
6. Asset Lifecycle
6.1 Acquisition
- Assets must be procured through approved processes with appropriate security reviews (e.g., for SaaS or cloud services).
6.2 Maintenance
- Assets must be patched, monitored, and maintained in line with security best practices.
6.3 Decommissioning & Disposal
- Hardware assets must be wiped and physically destroyed or securely disposed of.
- Cloud resources must be securely terminated, and storage must be wiped using provider tools.
- SaaS accounts must be properly offboarded, and data retention or deletion reviewed per policy.
7. Responsibilities
| Role | Responsibility |
|---|---|
| Asset Owners | Maintain inventory, classify and secure assigned assets. |
| IT Department | Maintain asset database, enforce technical controls, support decommissioning. |
| Security Team | Oversee policy implementation, audit compliance, risk assessment of new assets. |
| All Users | Use assets responsibly and report loss or misuse. |
8. Compliance and Audit
- Asset inventories and classifications shall be reviewed at least annually.
- Regular internal audits will verify asset registration, ownership, and protection.
- Violations of this policy may result in disciplinary action and/or access revocation.
9. References
- ISO/IEC 27001:2022 – A.5.9, A.8.1–8.3
- Acceptable Use Policy
- Cloud Security Policy
- Vendor Risk Management Policy