Principle
Everything required to deliver, maintain or support networks and information systems for essential services is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
Description
In order to manage security risks to the network and information systems of essential services, organisations require a clear understanding of service dependencies. This understanding might include physical assets, software, data, essential staff and utilities. These should all be clearly identified and recorded so that it is possible to understand what things are important to the delivery of the essential service and why.
Guidance
Whichever risk management method your organisation uses, asset management will play a key role as you cannot effectively manage risks without understanding what assets are part of the essential service. Your asset management regime should consider all relevant assets, and dependencies between them. Dependencies may be identified between assets under your organisation’s control (including IT and OT domains), elements of the supply chain (including power), and key staff who are critical to operations. Assets in an operational technology environment may need a more tailored approach than the corporate IT assets.
For asset management to be effective, up to date knowledge of your assets must be maintained throughout their lifecycle.
ISO/IEC 27001:2013
Asset management is part of an ISO/IEC 27001:2013 ISMS, but management of critical assets may require a tailored approach
An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential services.
If your organisation is using an ISMS as a tool for compliance with the NIS Directive, you must ensure the scope includes all systems relevant to the operation of essential services. Asset management is a key part of an ISMS, although critical services may need more attention than the minimum requirements of the standard. Further guidance is detailed in ISO/IEC 27002:2013.
ISO 55001:2014 – Asset Management
This standard aligns with ISO/IEC 27001:2013 and can be used in conjunction with it or independent of it. It outlines requirements for a generic asset management system. An organisation following this standard as a tool for NIS compliance must ensure the scope encompasses critical systems. Section 4.2 covers needs and expectations of stakeholders, which must include any requirements from competent authorities.
ITIL
ITIL best practice recommends a staged approach to IT asset management. You may find this useful for improving management of your IT assets, but must keep in mind that there may be assets and dependencies beyond the corporate IT domain as outlined above.
References
ISO/IEC 27001:2013
ISO 55001:2014 – Asset Management
ITIL
< Back to Principle A2 Forward to Principle A4>
Source: NCSC
