In July I attended and presented at the East Midlands Cyber Security Conference and Expo, at the National Space Centre in Leicester.
In their presentations, Derbyshire’s Assistant Chief Constable – Martyn Bates, Del Heppenstall – Director, KPMG, and Christian Toon – Cyber Security Specialist, PricewaterhouseCoopers LLP all mentioned in one way or the other the importance of maintaining an asset list.
In my presentation on Implementing Cyber Essentials, I also observed that while not a specific requirement of Cyber Essentials, in practice you will find it hard to manage a certified environment unless you have a good view of the complete list of assets.
If we take a look at the ISO 27001 standard for information security management systems, Section A 8.1.1 declares “Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained”.
So the evidence seems conclusive, if you care about security in your business, you really must make an asset list. Without one, how can you be sure the asset is suitably protected?