Asset management
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Identify, classify and risk assess all your hardware and software assets.
Options to consider:
- Conduct periodic physical checks (floor to book exercises) to ensure the accuracy of the hardware asset inventory.
- Use asset discovery tools to help you identify all assets within the network.
- Put processes in place to capture new assets you acquire.
- Assign ownership for each individual asset.
- Apply appropriate security classifications based on the sensitivity of the information you are processing.
- Keep records to show that you review both the inventories themselves and the risks associated with the assets on a periodic basis.
- Train owners on how to risk assess hardware and software assets.
- Create a checklist for staff to follow when they review asset inventories.
- Identify your critical assets and suppliers and any interdependencies.
Keep records showing secure disposal of hardware assets (eg destruction logs and certificates).
Options to consider:
- Wipe, degauss or securely destroy hardware that contains personal information.
- Document the procedure for the secure disposal of assets.
- Maintain evidence of management approval and sign-off prior to disposing of assets.
- Store hardware assets awaiting destruction in a locked area with limited access.
- Keep a destruction log which details all hardware assets that are destroyed.
- Obtain certificates from third parties who securely destroy hardware assets on your behalf.
- Conduct internal audits to check you follow the correct process for disposal.
- Carry out due diligence checks or audits on third parties to assess whether they maintain the security of hardware assets during the disposal process.