Asset Register

Overview

An information asset register is a fundamental building block of any ISMS. ISO 27001 requires organisations to identify the assets associated with information and information processing facilities, and to maintain an inventory of these assets. The Asset Register module in Standardise lets you catalogue every asset, assign ownership, classify sensitivity levels, and link assets to the risks they are exposed to.

Asset Types

Assets are categorised into six types to cover the full range of resources your organisation depends on:

• Hardware — Servers, laptops, mobile devices, network equipment, removable media, and other physical computing equipment.
• Software — Applications, operating systems, SaaS platforms, development tools, and database management systems.
• Data — Databases, files, backups, archives, intellectual property, and any structured or unstructured information.
• People — Key personnel, contractors, and third-party staff with access to information or systems.
• Service — Cloud services, communication services, utilities, and any external services the organisation relies on.
• Facility — Offices, data centres, server rooms, and other physical locations where information is processed or stored.

Classification Levels

Each asset should be assigned a classification level that reflects its sensitivity and the impact of unauthorised disclosure. A consistent classification scheme helps you apply proportionate security controls based on the value and sensitivity of each asset. Common classification levels include public, internal, confidential, and restricted, though your organisation may define its own scheme in your Data Classification Policy.

Ownership and Accountability

Every asset must have a designated owner — the person accountable for ensuring appropriate protection of the asset throughout its lifecycle. Asset owners are responsible for:

• Ensuring the asset is classified and labelled appropriately.
• Defining and reviewing access restrictions based on business and security requirements.
• Ensuring the asset is included in relevant risk assessments.
• Managing the asset through its lifecycle, including secure disposal when no longer needed.

Risk Linkage and Statistics

Assets can be linked to entries in the Risk Register, creating a clear connection between the things you are protecting and the threats they face. This linkage helps you ensure that high-value or high-risk assets have appropriate treatment plans in place.

The module dashboard displays type statistics showing the distribution of assets across categories, helping you identify gaps in your inventory (for example, if you have catalogued software but not the underlying hardware). All asset data can be exported to CSV.

ISO 27001 Mapping

The Asset Register addresses Clause 8.1 (Operational Planning and Control) in terms of managing the assets needed for ISMS processes. It also implements several Annex A controls: A.5.9 (Inventory of Information and Other Associated Assets), A.5.10 (Acceptable Use of Information and Other Associated Assets), A.5.11 (Return of Assets), A.5.12 (Classification of Information), and A.5.13 (Labelling of Information). Together, these require a systematic approach to identifying, classifying, and protecting information assets.