Skip to main content

All organisations must manage their information assets to meet their IT governance obligations. An information asset register (IAR) is a foundational tool for this, ensuring that you identify, document, and manage all critical information assets effectively.

This post tells you what you need to know about creating and maintaining an IAR.

What is an information asset register?

An IAR is a detailed inventory that lists your organisation’s information assets. These assets can range from data sets, documents, and software to hardware and personnel knowledge. The register helps catalogue these assets, detailing their location, ownership, sensitivity, and applicable security measures.

Why is an IAR important?

  1. Regulatory compliance: Many regulatory frameworks, such as GDPR, require organisations to maintain records of their processing activities, including the information they hold and how they protect it.
  2. Risk management: By knowing what information assets you have, where you store them, and who is responsible for them, you can better assess and mitigate risks associated with data breaches and loss.
  3. Operational efficiency: An accurate IAR helps streamline operations by ensuring that information is easily accessible and managed properly, reducing redundancy and improving data governance.
  4. Incident response: In the event of a data breach or other security incident, an IAR allows for quicker identification of affected assets and more effective response measures.

The data making up the IAR

To create an effective information asset register, you must include certain key data.

Key data

  • Unique ID: Each asset should have a unique identifier.
  • Asset format: Specify the format of the asset (e.g., system, paper record, digital record).
  • Asset name: Provide a clear and descriptive name for each asset.
  • Asset description: Describe the asset in detail to ensure clarity.
  • Asset owner: Assign a responsible owner for each asset who is accountable for its management and security.
  • Asset classification: Classify assets based on their sensitivity and criticality to the organisation.
  • Applicable retention period: Note how long each asset should be retained according to policy or regulatory requirements.
  • Asset status: Indicate whether the asset is active, inactive, etc.
  • Date discontinued: Record when the asset was discontinued, if applicable.

Optional data to enrich your register

Including additional data can enhance the value of your IAR. Here are some optional elements to consider:

  • Business area: Identify the business area related to the asset.
  • Team name: Include the name of the team responsible for the asset.
  • Alternative asset names: Note any alternative names used for the asset.
  • Asset manager: Specify the manager in charge of the asset.
  • Asset location: Document the specific location, such as which systems (apps or storage) the asset is stored in.
  • Third party access: Record any third parties that have access to the asset.
  • Risk rating: Assess and record the risk rating associated with the asset.
  • Business continuity contacts: Include contacts for business continuity related to the asset.
  • Hosting arrangements: Note any hosting arrangements for the asset.
  • Hosting location: Specify the physical or cloud location where the asset is hosted.

Steps to create an IAR

  1. Gather a team: Assemble a team from various departments, including IT, legal, compliance, and operations, to ensure all perspectives are covered.
  2. Identify assets: Conduct a thorough audit to identify all information assets within the organisation.
  3. Document assets: Use a standardised template to record details about each asset, ensuring consistency.
  4. Classify and assess: Classify each asset and assess its value and sensitivity. This will help prioritise resources and security measures.
  5. Implement controls: Based on the classification and assessment, implement appropriate security controls and access restrictions.
  6. Regular review: The IAR should be a living document, regularly reviewed and updated to reflect changes in the organisation’s information landscape.

Best practices for maintaining an IAR

  • Regular audits: Conduct periodic audits to ensure all assets are accounted for and accurately documented.
  • Training: Provide regular training for staff on the importance of the IAR and their role in maintaining it.
  • Integration: Integrate the IAR with other management systems, such as your risk management or compliance software, for better visibility and control.
  • Continuous improvement: Continuously seek ways to improve the IAR based on feedback and evolving industry standards.

International standards for IAR

There are several international standards that provide guidance on information asset registers and broader information security management:

  1. ISO/IEC 27001:2022
    • Overview: The leading international standard for information security management systems, providing a systematic approach to managing sensitive company information.
    • Guidance on IAR: Emphasises asset management, including the identification and documentation of information assets and their associated security controls.
  2. ISO/IEC 27002:2022
    • Overview: Provides best practice recommendations on information security management for initiating, implementing, or maintaining an ISMS.
    • Guidance on IAR: Offers detailed guidance on developing and maintaining an inventory of information assets.
  3. NIST SP 800-53 Revision 5
    • Overview: Catalogue of security and privacy controls for federal information systems and organisations, widely adopted across various sectors.
    • Guidance on IAR: Includes controls related to the inventory of authorised and unauthorised devices, correlating with maintaining an IAR.
  4. COBIT 2019
    • Overview: Comprehensive framework for the governance and management of enterprise IT.
    • Guidance on IAR: Emphasises practices for managing information assets, including identification, classification, and management throughout their lifecycle.
  5. ITIL 4
    • Overview: Set of practices for IT service management, focusing on aligning IT services with business needs.
    • Guidance on IAR: Includes asset management practices to ensure assets are identified, controlled, and managed properly.

How ITLawCo can help

At ITLawCo, we understand the complexities and challenges involved in creating and maintaining an effective information asset register. Our team of experts can assist you in:

  • Setting up an IAR: We can help you establish a comprehensive IAR tailored to your organisation’s specific needs and regulatory requirements.
  • Conducting audits: Our professionals can perform detailed audits to identify and document all your information assets.
  • Implementing controls: We provide guidance on the best practices for implementing security controls and access restrictions.
  • Training: We offer training sessions for your staff to ensure they understand the importance of the IAR and their role in maintaining it.
  • Ongoing support: Our team is available for ongoing support to help you regularly review and update your IAR, ensuring it remains a living document that adapts to your organisation’s evolving needs.

For expert guidance on establishing your information asset register, contact ITLawCo today. Our team of experienced professionals is here to help you navigate the complexities of information asset management and ensure your organisation’s data is secure and well-managed.