Questions about in-scope information assets for an ISO27001 ISMS

Question

I am in the process of writing a Scope for the information assets - in preparation for writing an ISO27001 compliant ISMS. I am confused as to if a VPN network is considered to be in Scope? as well as things like the Wireless access point for clients?

The word information asset is confusing to me. Any information that is critical to the business is considered an information asset. Does this include controls to get to such information. If there was a Switch connecting all of the employee work stations together - would this switch need to be in scope or not?

Many thanks for your help in this matter. Having read all document online regarding this the scope is the most important part of the document.

Answer 1

An asset is whatever your company considers that have value for its business. Information asset is every asset related to information, that in theory, could be anything from people, technology, physical sites, devices, documents, etc.

Choosing a correct scope for ISO 27001 can be difficult. If you broaden it too much, it will be difficult to implement the standard. If you narrow it too much, you will let important things out and it also could be difficult to implement due to interfaces management.

My advice is to consider out of the scope only things that are:

• Not related to your core business
• Not related to the objectives of the ISMS or the information that your organizatio would like to manage under the ISMS
• Independent of the assets that are in the scope

For example, the VPN you mention. It is completely independent of the processes of your company that are in the scope? If the VPN is used by people in the scope or it opens connection to a network where data in scope is transmited, it is in scope.

A wifi access? The same, probably is in scope.

For example, if you have multiple offices and one of them does only administrative tasks that are not in the scope and its network is isolated (completely independent) from the rest of the company, you can put this office and its technology out of the scope.

Remember that if you put some part of your company out of the scope, you have to identify the interfaces (communication of information between the parts in scope and out scope) and apply additional security controls there to protect that information going to a less secure zone. That can increase the complexity of ISO 27001 implementation and thus sometimes it is easier to broaden the scope that to narrow it.

If you have doubts, it is better to broaden the scope.

Another very related question and maybe is your problem is which granularity choose when doing the inventory of information assets? Do I have to write down the number of pencils as them can be considered information assets? Mouses? Monitors? Faxes? I'm sorry, there are no definitive answer to this question. The organization has to choose how deep it wants to go with the inventory. The assets in the inventory have to be important for the organization and the inventory have to be manageable to be updated properly.

Answer 2

Though I am not a expert on ISO27k standard following is how information asset is defined taken from FREE ISO27k Toolkit

Information wherever it is handled or stored (e.g., in computers, file cabinets, desktops, fax machines, Xerox, printer, verbal communication etc.) needs to be suitably and appropriately protected from unauthorized access, modification, disclosure, and destruction

Taking this definition your network switch/router is just not a piece of equipment connecting workstation but its configuration file contains tons of information about your network infrastructure. i.e. ip addressing scheme, routing protocols, subnet addressing scheme, VLAN configurations etc. and need be taken care against unauthorized access, modification, disclosure and destruction.

Answer 3

This is confusing, perhaps partly explaining why the new 27001:2013 doesn't talk about assets in the main body any more. (Although of course effective asset management is an important security control and as such is discussed in Annex A.8 of 27001 and the corresponding Section 8 of 27002.)

You are right that information assets are, by definition, information, and so, for example, a VPN appliance is not an information asset. (It's config files probably are, however).

So technically you don't need to include them in an information asset register.

However, practically speaking, if you're going to be doing risk assessment then you're going to need to understand and control the supporting assets that the information assets depend on.

Indeed, if you look into Section 8 of 27002, you'll notice it is careful to talk about not just information assets but "assets associated with information or information processing facilities". That sounds to me like it would definitely include any VPN systems operating inside the scope of your ISMS.

Answer 4

The original question asked whether the VPN or wireless is in scope for the ISMS. Before that can be answered, we need to ensure that we have completed clauses 4.1 and 4.2 of the 2013 version of the standard. They help you define the scope and the information which needs to protected. Only then, can you look at things like VPNs and wireless access points. The key thing to is to keep assets out of the scope definition phase.

Back to the clauses 4.1 and 4.2. These ask you to list and identify your interested parties. For example, a customer, supplier, regulators, employees, etc. Each would have a requirement on use - for example we have to comply with laws, regulations, contractual clauses. Clause 4.3 mentions designing the scope around the interfaces with interested parties. So if a customer relies on a VPN to connect to our company, we would be obligated to provide them with secure and safe access. The information travelling along the VPN is in scope, as will the physical assets supporting the VPN.

In some instances we may have dependencies on other parties to provide services to us. For example, you need the power supply company to provide you with electricity to operate your ISMS. In this instance, the power supplier station isn't obviously in scope and neither is the power supply company an interested parties. You just need to know that you have dependencies on others and should factor this into the scope definition.

I hope the above is of help to others coming across this posting...

Answer 5

Some good answers and points already, I'll just add a few more ideas to the pot.

ISO/IEC 27005 suggests that there are two groups of assets to be considered, primary and secondary. Primary assets are 'process' and 'information', secondary assets are everything else.

In your scope statement, it is normally a good idea to identify your major primary assets - since this is normally core to the reason you would be implementing ISO/IEC 27001. So it is typical to see 'customer information' identified in the scope statement, for example. This in-turn indicates to 'interested parties', customers in this case (and you also as the ISMS implementer), that any process, people, technology, etc. that touches on customer information (human, technical, physical, or whatever) will be appropriately considered -- regardless it is owned and managed by your company or it is outsourced.

Your VPN therefore, is a secondary asset and has value (is important) to your organization because customer information is travelling in-through-and out of the hole (assuming customer info from my example) and has a role in protecting the confidentiality, integrity, and availability of the information which travels through it - its a control; equally, it is a risk, since it can fail and render information unavailable. This is where scoping starts to get a little more complex, because we are probably now talking about boundaries and interfaces also - those parts of the process that cross over from being in-scope, to out-of-scope. I.e the information is starting inside of areas that you have control over (inside your business) and then going outside to areas that you have no control of (your ISP). Your ISP is an example which would be out-of-scope (its not your business and you have no control over their security environment) but represents a boundary and itself is an asset since you depend on them to send and receive information in your business.

So to make matters more complex, not all assets are things that are in-scope per say. Like personal mobile telephones, are they assets? Not owned by the company, but often used by employees to do their work -- and often containing highly sensitive and important business information.. so they are an asset. As is your home office, where you take your work home for the weekend, making it an asset, but likely out of scope.

So scope and assets are two different things. Scope is simply telling us where we can and will apply our ISMS Policies and procedures and what is covered in terms of core business and information. Boundaries, interfaces, and out-of-scope process are something we must be aware of so that we can assess the risks and put in place the appropriate controls and manage the risks, commonly done by way of contractual arrangements.

Scope statements will normally make reference to information (actual information - not the database that contains the information which is a secondary asset), processes, and locations. It doesn't have to be detailed and complicated, but as you have mentioned, is very important and should be accurate. It plots out the big picture for us from which we can dig in to the details.

The scope also gives us a starting point for our assets - so if customer information is mentioned, we can start to figure out where and how that information is used throughout the business processes - that leads us to want to draw up an asset register - so that we don't forget, and others can improve on our work in the future, etc. By following the process, we'll also start to identify those secondary assets, like the database that holds the information and needs to be available to users -- and then we find users become an asset, etc..

To answer then, your VPN and wireless access points would become assets as they are preserving the confidentiality, integrity, and availability of information of which is presumably in scope. If they are not a part of the process that you have identified from your scope, then they are not assets in the ISMS.

Last example.. draw a process diagram for a process that is in scope (inputs, activities, outputs, resources, controls/management) -- identify information that is created, used, destroyed.. etc within this process - the process and the information are your primary assets. Then look at how and what uses those assets within that process.. they are your secondary assets. It all goes into your asset inventory because this gives us the context of our risk assessment.

This is why scoping is so important, since its drives the implementation of the whole ISMS. Miss something important and the ISMS will add no value to your business. Include things that are irrelevant, and you will be burning valuable resources.

Which brings us to the next, even more important question when establishing the scope.. what is the purpose of the ISMS? A question that must be answered by top management. Answer that, and things will start to become more clear :)

And a last observation:- make sure you are using ISO/IEC 27001:2013 - since the 2005 version is now obsolete. From your post it kinda sounds like you might be looking at the 2005 version. In the new version, this issue is much clearer in my opinion. The starting point is Context of the Organization, leading you to conclude the scope of the ISMS. This concept was there in the 2005 version, but not spelled out as clearly.