Skip to main content
Informationssicherheit / NIS2

Asset management

Asset management is the systematic identification, classification and maintenance of all of an organisation's information assets and thereby forms the foundation of an effective information security management system (ISMS).

In an information security context, asset management covers the complete inventory of all of an organisation's information assets. This includes not only hardware and software, but also data, applications, cloud services, network components and paper-based information, as well as supporting assets such as personnel, locations and supplier relationships. Without a reliable register of these assets, protection requirements, risks and responsibilities cannot be determined dependably, which is why asset management is regarded as the cornerstone of every ISMS.

Beyond mere identification, effective asset management requires assets to be classified according to their protection requirements in terms of confidentiality, integrity and availability, and to be assigned a clear owner. These asset owners decide on acceptable use, the necessary safeguards and the entire lifecycle of an asset, from acquisition through operation to secure decommissioning and disposal. Only the combination of inventory, classification and accountability enables risk-based management of information security.

Asset management is firmly anchored in the established security standards. ISO/IEC 27001 requires, in Annex A (Controls 5.9 to 5.11 of the 2022 edition), an inventory of information assets, rules on acceptable use and the return of assets. The German BSI IT-Grundschutz, CISIS12 and the risk management measures mandated under the NIS2 Directive likewise presuppose an up-to-date asset register, because protection-needs assessment, risk evaluation and evidence of the effectiveness of controls are impossible without complete knowledge of the assets to be protected.

Legal Basis

ISO/IEC 27001:2022 Annex A (Controls 5.9–5.11); BSI IT-Grundschutz; Art. 21 NIS2 Directive (EU) 2022/2555

Practical Example

Before its initial ISO/IEC 27001 audit, the information security officer of a mid-sized mechanical engineering company carries out an inventory and discovers that several productive cloud services were procured by business units without IT approval (shadow IT). The officer records these services in the asset register, assigns an owner to each asset and classifies the engineering data they contain as "highly confidential". On this basis, protection requirements can be determined, missing encryption can be added and the controls can be evidenced to the auditor.

FAQ

Assets include everything worth protecting for the organisation: hardware, software and cloud services, data and applications, network and infrastructure components, and paper-based information. Supporting assets such as personnel, locations and supplier relationships are also taken into account.
Only those who fully know their assets can determine their protection requirements, evaluate risks and steer safeguards effectively. An incomplete inventory inevitably leads to blind spots in risk assessment. That is why asset management stands at the very beginning of every functioning ISMS.
The asset owner is the person responsible for an information asset. They define acceptable use, are accountable for appropriate classification and safeguards, and manage the asset throughout its entire lifecycle up to secure decommissioning.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

ISMS (Information Security Management System) ISO 27001 Protection requirements analysis Information classification Risk Assessment
Back to Glossary