Table of Contents

1.1 Introduction..........................................................................................................................2
2 Scope.......................................................................................................................................2
3. Asset Management.................................................................................................................2
3.1 Responsibility for assets...................................................................................................2
3.1.1 Asset Inventory..........................................................................................................2
3.1.2 Ownership of assets...................................................................................................3
3.1.3 Acceptable use of assets............................................................................................3
3.1.4 Return of assets..........................................................................................................3
3.2 Media Handling................................................................................................................4
3.2.1 Management of removable media..............................................................................4
3.2.2 Disposal of media......................................................................................................4
3.2.3 Physical media transfer..............................................................................................4
3.3 Key performance indicators (KPIs)..................................................................................5
1.1 Introduction
In today's digital age, information is a valuable asset for organizations, and ensuring its
confidentiality, integrity, and availability is paramount. To safeguard sensitive information
and demonstrate a commitment to robust information security practices, our organization
adheres to the international standard ISO/IEC 27001: Information Security Management
Systems (ISMS). This document serves as an introduction to our ISO 27001 compliance
policy, outlining our dedication to establishing, implementing, maintaining, and continually
improving an effective information security management system.

2 Scope
This policy applies to all employees, contractors, and third-party entities that have access to
our information assets. It encompasses all forms of information, whether stored electronically
or in hard copy, and includes information processed, stored, or transmitted using
organizational information systems.

3. Asset Management
Objective:
To identify organizational assets, define appropriate protection responsibilities and to know
asset criticality helping to put a specific control to every assets.
Scope:
All IT assets within my organization

3.1 Responsibility for assets

3.1.1 Asset Inventory
o Assets should identify relevant in the lifecycle of information and document their
importance.

o Assets should be identified and an inventory of these assets should be drawn up and
maintained.
 o The asset inventory should be accurate, up to date, and aligned with other inventories.

o Updated Asset Registry

o Assets should be tracked and tagged.

o Specify owner for every asset.

o A specific description for each asset.

3.1.2 Ownership of assets

The asset owner should:
o Ensure that assets are inventoried.

o Ensure that assets are appropriately classified and protected.

o Define and periodically review access restrictions and classifications to important

assets, taking into account applicable access control policies.

o Ensure proper handling when the asset is deleted or destroyed.

3.1.3 Acceptable use of assets

o Rules for the acceptable use of information and of assets associated with information
and information processing facilities should be identified, documented and
implemented.

o Employees and external party users using or having access to the organization’s assets
should be made aware of the information security requirements of the organization
3.1.4 Return of assets
o All employees and external party users should return all of the organizational assets in
their possession upon termination of their employment, contract or agreement.

o The termination process should be formalized to include the return of all previously
issued physical and electronic assets owned by or entrusted to the organization.

o Procedures should be followed to ensure that all relevant information is transferred to

the organization and securely erased from the equipment.

o Where an employee or external party user has knowledge that is important to ongoing
operations, that information should be documented and transferred to the
organization.
 o During the notice period of termination, the organization should control unauthorized
copying of relevant information (e.g. intellectual property) by terminated employees
and contractors.

3.2 Media Handling

3.2.1 Management of removable media
o The contents of any re-usable media that are to be removed from the organization
should be made unrecoverable.

o Removable media should be monitored.

o IT is responsible for removable media given to employees.

o Authorization should be required for media removed from the organization and a
record of such removals should be kept in order to maintain an audit trail.

o All media should be stored in a safe, secure environment, in accordance with

manufacturers’ specifications.

o Cryptographic techniques should be used to protect data on removable media.

o Multiple copies of valuable data should be stored on separate media to further reduce
the risk of coincidental data damage or loss.

3.2.2 Disposal of media

o Media containing confidential information should be stored and disposed of securely,
by incineration or shredding, or erasure of data for use by another application within
the organization.

o Procedures should be in place to identify the items that might require secure disposal.

o Disposal of sensitive items should be logged in order to maintain an audit trail.

3.2.3 Physical media transfer
o A list of authorized couriers should be agreed with management.

o Procedures to verify the identification of couriers should be developed.

 o Packaging should be sufficient to protect the contents from any physical damage
likely to arise during transit and in accordance with any manufacturers’ specifications.

o Logs should be kept, identifying the content of the media, the protection applied as
well as recording the times of transfer to the transit custodians and receipt at the
destination.

3.3 Key performance indicators (KPIs)

Key Performance Indicators
Percentage of assets tagged and the assets that is not tagged Percentage
Percentage of authorized removable media and non-authorized Percentage
Number of Assets That not tracked Numerical
Number of non-encrypted removable media Numerical
Number of non-disposal sensitive items Numerical