Welcome to the SecAware blog

I spy with my beady eye ...

13 Dec 2019

NBlog Dec 13 - what is an "information asset"?

ISO/IEC JTC 1/SC 27 tied itself in knots for years trying to answer that disarmingly simple and straightforward question, failing to reach consensus and eventually admitting defeat.

Back in 2014, ISO/IEC 27000 defined "Asset" very broadly as "anything that has value to the organization ... including: information; software, such as a computer program; physical, such as computer; services; people, and their qualifications, skills and experience; and intangibles, such as reputation and image."

To narrow it down a bit in the context of ISO27k, "Information asset" had also been explicitly defined in ISO/IEC 27000:2009 as "Knowledge or data that has value to the organization".

That definition still works quite well for me. "Information asset" refers to the intangible content - the meaning of information - rather than the vessels, media, equipment, facilities and human beings that house, process, communicate and use it.

The content is both valuable and vulnerable and hence needs to be protected or secured. That's what ISO27k does.

I appreciate that the tangible vessels, media, equipment, facilities and people are also assets that also require adequate protection, security and safety, but that's largely the domain of conventional physical risk and security measures such as vaults, locks and guards, plus health and safety. Other standards apply there.

At some point after the release of ISO/IEC 27000:2009 (I forget exactly when), SC 27 had become exhausted by the interminable arguments over the definition and called a halt to it. The definitions of "information asset" and then "asset" were summarily removed from ISO/IEC 27000. "Information asset" was systematically shortened throughout the ISO27k standards, usually to "asset" ... unfortunately as "information" would have been more appropriate in most cases.

"Asset" is currently defined in ISO/IEC 27032:2012 as "Anything that has value to an individual, an organization or a government. NOTE Adapted from ISO/IEC 27000 to make provision for individuals and the separation of governments from
organizations". According to the ISO browsing platform, "asset" is also defined in several other ISO standards e.g.:
  • "Plant, machinery, property, buildings, vehicles, ships, aircraft, conveyances and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service - This definition includes any information system that is integral to the delivery of
  • "Security and the application of security management."
  • "Things that a user sees or hears, e.g., bitmap, audio, and text."
  • "Anything that has value to a stakeholder"
  • "Anything that has value to the organization"
  • "Anything an individual or a company owns which has value - In the container environment, an asset could be a container, the container’s contents, or information pertaining to the container"
  • "Things that a user sees or hears, e.g., bitmap, audio, text."
  • "Whole building or structure or unit of construction works, or a system or a component or part thereof"
  • "Manifestation, i.e. physical or digital embodiment of an Expression"
  • "item, thing or entity that has potential or actual value to an organization"
  • "Entities that the owner of the TOE presumably places value upon"
  • "Item, thing or entity that has potential or actual value to an organization - Value can be tangible or intangible, financial or non-financial, and includes consideration of risks and liabilities. It can be positive or negative at different stages of the asset life. - Physical assets usually refer to equipment, inventory and properties owned by the organization. Physical assets are the opposite of intangible assets, which are non-physical assets such as leases, brands, digital assets, use rights, licences, intellectual property rights, reputation or agreements. - A grouping of assets referred to as an asset system could also be considered as an asset."
'Something of value' is a general definition whereas the ISO27k standards are purely concerned with the management of information risk and security - not other assets such as land, property and machine tools. So, for example, in discussing an "Asset inventory" in the annex, ISO/IEC 27001 could be interpreted literally to mean "an inventory of anything of value" which is obviously way broader in scope that an inventory of information. It therefore had to explain in the text that the assets to be inventoried are those "associated with information and information processing facilities", another confusing phrase which implied that information itself is not an asset! That, in turn, was corrected by ISO/IEC 27001 corrigendum 1 in 2014:

The corrected version of that control still indicates that the inventory should include "other assets associated with information and information processing facilities", an open-ended scope that extends beyond the intangible information content, but despite the standard's use of "shall", Annex A is in fact discretionary or advisory, not mandatory.

But wait, there's more. ISO27k standards are applicable in the corporate context, so the value of assets is seen from the corporate perspective - primarily stuff that the organization owns. However, some information is only (in effect) loaned to the organization by third-parties, including people. Personal information on individual people belongs to those people, known as the "data subjects". People have legal and ethical rights over their own personal information, since it is valuable to them personally, as well as any business value to the organizations that make use of it. The same applies to intellectual property legally owned by third-parties - commercial software for instance, plus patented or trademarked designs and copyrighted material such as this very blog. "Information asset" turns out, once again, to be more complex that it seems.

I feel that SC 27 should really have bottomed out this issue since it is crucial to ISO27k, but a proper resolution to the discussion proved impossible within the constraints of the committee's formalized and tediously slow working practices.

So there we are. "Information asset" is undefined ... and unclear. Too bad.

No comments:

Post a Comment