This piece is different to the others in this blog series. I’m seizing the opportunity to explain the thinking behind, and the steps involved in researching and drafting, an information security policy through a worked example. This is about the policy development process, more than the asset management policy per se.
One reason is that, despite having written numerous policies on other topics in the same general area, we hadn’t appreciated the value of an asset management policy, as such, even allowing for the ambiguous title of the example given in the current draft of ISO/IEC 27002:2022. The standard formally but (in my opinion) misleadingly defines asset as ‘anything that has value to the organization’, with an unhelpful note distinguishing primary from supporting assets. By literal substitution, ‘anything that has value to the organization management’ is the third example information security policy topic in section 5.1 … but what does that actually mean?
Isn’t it tautologous? Does anything not of value even require management?
Is the final word in ‘anything that
Read the article