ISO 27001 IT Security Asset Classification and Control Checklist

Download Free ISO 27001 IT Security Asset Classification and Control Checklist

- Identifying the assets
- Identifying who is accountable for the assets
- Preparing a schema for information classification:

- Confidentiality Can the information be freely distributed, or do we need to restrict it to certain identified individuals?
- Value What is the asset’s value? Is it a high-value item and, therefore, costly to replace, or is it a low-value item?
- Time Is the information time sensitive? Will its confidentiality status change after some time?
- Access rights Who will have access to the asset?
- Destruction How long will the information be stored? How can it be destroyed, if necessary? You need to evaluate each asset against the preceding criteria and classify it for easy identification. For instance, you can define confidentiality in terms of the following:
- Confidential The access is restricted to a specific list of people. These could be company plans, secret manufacturing processes, formulas, and so on.
- Internal only The access is restricted to internal employees only. These could be customer databases, manufacturing procedures, and so on.
- Shared The resources are shared within groups or with people outside of the organization.This could be operational information and contact information, such as the organization’s internal telephone book, to be shared with business partners and agents.
- Unclassified The resources are publicly accessible. This could include the company sales brochure and other publicity material.