Transcription
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENT8.1 ESTABLISH RESPONSIBILITY FOR CORPORATE ASSETSGOALTo protect assets associated with information and information processing facilities.MEMODefine protection responsibilities for assets associated with your information and information processing facilities.8.1.1 COMPILE AN INVENTORY OF ASSETS ASSOCIATED WITH INFORMATIONCTRLIdentify all assets associated with your organization’sinformation and information processing facilities.TODODONEN/ACTRLCompile an inventory of all assets associated with yourinformation and information processing facilities.TODODONEN/ACTRLMaintain an inventory of all assets associated with yourinformation and information processing facilities.TODODONEN/AUse information lifecycle stages to identify assets.TODODONEN/AGUIDEGUIDEIdentify assets used to create information.TODODONEN/AGUIDEIdentify assets used to process information.TODODONEN/AGUIDEIdentify assets used to store information.TODODONEN/AGUIDEIdentify assets used to transmit information.TODODONEN/AGUIDEIdentify assets used to delete information.TODODONEN/AGUIDEIdentify assets used to destroy information.TODODONEN/ATODODONEN/AGUIDEEstablish an inventory of information oriented assets.GUIDEClassify each identified information oriented asset (8.2).TODODONEN/AGUIDEAssign ownership to each information oriented asset (8.1.2).TODODONEN/AGUIDEAlign your inventory of assets with other inventories.TODODONEN/AGUIDEDocument your organization’s inventory of AStore your documents in dedicated inventories.GUIDEGUIDEGUIDESpecify the importance of each identified asset.Maintain your organization’s inventory of assets.ORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 58
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTGUIDEMake sure that your asset inventory is accurate.TODODONEN/AGUIDEMake sure that your asset inventory is up-to-date.TODODONEN/AGUIDEMake sure that your inventory is internally consistent.TODODONEN/ANOTEAssets cannot be properly protected unless you've previously identified and listed the assets that should be protected.A complete inventory of information assets may also be required for health, safety, insurance, or financial reasons.NOTENOTEAlso see ISO IEC 27005 for examples of the kinds of information oriented assets that ought to be protected.8.1.2 SELECT OWNERS FOR ALL ASSETS ASSOCIATED WITH YOUR INFORMATIONSelect owners for assets associated with yourinformation and information processing facilities.TODODONEN/AEstablish a process to assign owners to all relevant assets.TODODONEN/AMake owners responsible for assets throughout asset lifecycles.TODODONEN/AGUIDEAsk owners to define asset access restrictions and controls.TODODONEN/AGUIDEAsk owners to manage their information oriented assets.TODODONEN/ACTRLGUIDEGUIDEGUIDEAsk owners to ensure that assets are properly classified.TODODONEN/AGUIDEAsk owners to ensure that assets are properly inventoried.TODODONEN/AGUIDEAsk owners to ensure that assets are properly protected.TODODONEN/AGUIDEAsk owners to ensure that assets are properly disposed of.TODODONEN/AGUIDEAsk owners to ensure that assets are properly deleted.TODODONEN/AGUIDEAsk owners to ensure that assets are properly destroyed.TODODONEN/ATODODONEN/AGUIDEAsk owners to periodically review asset security practices.GUIDEAsk owners to periodically review asset classifications.TODODONEN/AGUIDEAsk owners to periodically review access EGUIDEAsk owners to consider access control policies.Allocate ownership to people responsible for asset lifecycles.ORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 59
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTAssign asset ownership when assets are created or acquired.GUIDETODODONEN/ANOTEAsset owners do not actually “own” assets in the legal sense of the word, nor do they have any property rights to the asset.NOTEAn asset owner can be either a person or some other entity and should be responsible for the entire lifecycle of the asset.NOTEWhile routine asset management tasks can be delegated, responsibility for the asset should remain with the asset owner.NOTEWhen assets act together to provide a service, owners should be responsible for both the service and the underlying assets.8.1.3 PREPARE ACCEPTABLE USE RULES FOR ASSETS ASSOCIATED WITH INFORMATIONDefine and document rules that clarify acceptable use of information.TODODONEN/AImplement rules that clarify the acceptable use of information.TODODONEN/ATODODONEN/AImplement rules that clarify the acceptable use of assetsrelated to information and information processing facilities.TODODONEN/ATell people about security requirements before allowing access.TODODONEN/AGUIDEMake employees aware of information security requirements.TODODONEN/AGUIDEMake third parties aware of information security CTRLCTRLDefine and document rules that clarify the acceptable use of assetsassociated with information and information processing facilities.CTRLGUIDEGUIDEMake people responsible for their use of facilities and resources.Hold people responsible even when they delegate use to others.GUIDE8.1.4 RETURN ALL ASSETS ASSOCIATED WITH INFORMATION UPON TERMINATIONCTRLMake sure that all employees return all corporate assetsassociated with information and information processingfacilities when their employment is terminated.TODODONEN/ACTRLMake sure that all external users return all corporate assetsassociated with information and information processingfacilities when their contract or agreement is terminated.TODODONEN/AMake the return of assets part of a formal termination process.TODODONEN/ATODODONEN/AGUIDEGUIDEAsk people to return physical and electronic assets at termination.ORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 60
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTGUIDEProtect company information on equipment of terminated users.TODODONEN/ATODODONEN/ATransfer information from equipment sold to terminated users.TODODONEN/AMake sure that all relevant information is securely erased.TODODONEN/AProtect information on terminated user’s personal equipment.TODODONEN/ATransfer information from former user’s personal equipment.TODODONEN/AMake sure that company information is securely erased.TODODONEN/ATODODONEN/AProtect information on equipment sold to terminated users.GUIDEGUIDEGUIDEGUIDEGUIDEGUIDEGUIDEPreserve the knowledge that personnel have before they leave.GUIDEDocument all relevant knowledge before your personnel leave.TODODONEN/AGUIDETransfer knowledge to the company before personnel leave.TODODONEN/AControl unauthorized copying during notice period of termination.TODODONEN/AGUIDEPrevent terminated employees from copying your information.TODODONEN/AGUIDEPrevent terminated contractors from copying your information.TODODONEN/AGUIDE8.2 DEVELOP AN INFORMATION CLASSIFICATION SCHEMEGOALTo provide an appropriate level of protection for your organization’s information.MEMOYour level of protection should reflect how important the information is to your organization.8.2.1 CLASSIFY YOUR ORGANIZATION’S INFORMATIONCTRLAdopt an information classification scheme.TODODONEN/ACTRLClassify information according to the kindsof legal requirements that must be met.TODODONEN/ACTRLClassify information according to how sensitiveit is to unauthorized disclosure or modification.TODODONEN/ACTRLClassify your information according tohow valuable it is to your organization.TODODONEN/ACTRLClassify information according to how critical it is.TODODONEN/AORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 61
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTGUIDECreate an effective information classification scheme.TODODONEN/AGUIDEEnsure that the scheme meets all legal requirements.TODODONEN/AGUIDEEnsure that the scheme follows your access control policy (9.1.1).TODODONEN/AGUIDEEnsure that the scheme addresses your unique business needs.TODODONEN/AGUIDEEnsure that your scheme allows you to share information.TODODONEN/AGUIDEEnsure that your scheme allows you to restrict access.TODODONEN/AConsider also classifying assets used to manage information.TODODONEN/AGUIDEConsider also classifying assets used to store information.TODODONEN/AGUIDEConsider also classifying assets used to process information.TODODONEN/AGUIDEConsider also classifying assets used to handle information.TODODONEN/AGUIDEConsider also classifying assets used to protect information.TODODONEN/ATODODONEN/AGUIDEGUIDEDesign your organization’s information classification scheme.GUIDEMake owners of assets accountable for their classification.TODODONEN/AGUIDEEnsure that assets and information can be consistently classified.TODODONEN/ATODODONEN/AEnsure that classifiers share a common understanding.GUIDEGUIDEEnsure that each classification level has an intuitive name.TODODONEN/AGUIDEEnsure that everyone can do classifications in the same way.TODODONEN/AGUIDEEnsure that protection requirements are widely understood.TODODONEN/AGUIDEEnsure that confidentiality requirements are understood.TODODONEN/AGUIDEEnsure that availability requirements are understood.TODODONEN/AGUIDEEnsure that integrity requirements are NEN/AIntegrate your classification scheme into your other processes.GUIDEGUIDEImplement your organization’s classification scheme.GUIDEClassify all forms of information in order to safeguard it.ORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 62
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTGUIDEClassify information according to how important it is.TODODONEN/AGUIDEClassify information according to how valuable it is.TODODONEN/AGUIDEClassify information according to how sensitive it is.TODODONEN/AGUIDEClassify information according to how critical it is.TODODONEN/AClassify information according to how much protection it needs.TODODONEN/AGUIDEClassify information according to how confidential it must be.TODODONEN/AGUIDEClassify information according to how available it must be.TODODONEN/ATODODONEN/AGUIDEClassify assets used to manage information.GUIDEGUIDEClassify assets used to store information.TODODONEN/AGUIDEClassify assets used to process information.TODODONEN/AGUIDEClassify assets used to handle information.TODODONEN/AGUIDEClassify assets used to protect ONEN/AAnalyze changes in your organization’s requirements.TODODONEN/AGUIDEExamine changes in confidentiality requirements.TODODONEN/AGUIDEExamine changes in availability requirements.TODODONEN/AGUIDEExamine changes in integrity requirements.TODODONEN/AAnalyze changes in the status of information.TODODONEN/AGUIDEReview classifications whenever needs or requirements change.GUIDEEstablish criteria for reviewing classifications during their lifecycle.GUIDEGUIDEGUIDEAssess the level of protection that classifiers are assigning.GUIDESee if the value of your information has changed.TODODONEN/AGUIDESee if the criticality of your information has changed.TODODONEN/AGUIDESee if the sensitivity of your information has changed.TODODONEN/AORGANIZATION:YOUR LOCATION:COMPLETED BY:DATE COMPLETED:REVIEWED BY:DATE REVIEWED:MAR 2014PART 8PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARDCOPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.EDITION 1.0PAGE 63
ISO IEC 27002 2013 TRANSLATED INTO PLAIN ENGLISH8. ORGANIZATIONAL ASSET MANAGEMENTGUIDEUpdate your classifications throughout their lifecycle.TODODONEN/AUpdate classifications to reflect changes in requirements.TODODONEN/AGUIDEAccommodate changes in confidentiality requirements.TODODONEN/AGUIDEAccommodate changes in availability requirements.TODODONEN/AGUIDEAccommodate changes in integrity requirements.TODODONEN/ATODODONEN/AGUIDEUpdate classifications to reflect changes in information.GUIDEGUIDEUpdate classifications to accommodate changes in value.TODODONEN/AGUIDEUpdate classifications to accommodate changes in criticality.TODODONEN/AGUIDEUpdate classifications to accommodate changes in sensitivity.TODODONEN/ANOTEGroup information into categories (classifications) that have similar protection needs and requirements.NOTEFor each category, develop an information security procedure that applies to all the information in that category.NOTEUse your categories to tell people how to handle and how to protect the information in each particular category.Use categories to avoid having to carry out case-by-case risk assessments and to avoid having to design special controls.NOTENOTEInformation sometimes needs to be reclassified because it’s no longer sensitive or critical (e.g., after it’s been made public).Because of this, care should be taken to review classifications and to reclassify information whenever its status changes.NOTETh
iso iec 27002 2013 translated into plain english 8. organizational asset management organization: your location: completed by: date completed: reviewed by: date reviewed: mar 2014 plain english information security management standard edition 1.0 part 8 copyright .
