All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
ICT Assets and Asset Registers
Before an organisation can protect its digital environment, it must first understand what it needs to protect. This begins with identifying and documenting all valuable Information and Communication Technology (ICT) assets.
What are ICT Assets?
ICT assets are not limited to physical hardware. They encompass a wide range of tangible and intangible items that hold value to an organisation. These include:
- Hardware: Such as laptops, servers, printers, mobile phones, and USB drives.
- Software: Including purchased applications and freeware.
- Information: This includes electronic data (databases, files) as well as physical documents like paper and contracts.
- Infrastructure: Physical assets like offices, electricity, and air conditioning that are crucial for the availability of information systems.
- People with Specific Skills: Employees who possess critical knowledge that may not be formally documented are considered valuable assets.
- Outsourced Services: Services like consultative contractors or online platforms (Microsoft SharePoint and other business SAAS apps) must also be managed and controlled as if they were internal assets.
What is an Asset Register?
An asset register, also known as an IT asset inventory, is a foundational component of IT asset management (ITAM). ITAM manages the complete life cycle of your IT assets, from when you buy them to when you retire them. This includes the financials, inventory, contracts, and risks throughout the asset’s life.
The asset register helps an organisation to track and categorise its assets, enabling more effective use of resources, avoiding unnecessary purchases, and mitigating risks associated with outdated or unknown infrastructure.
The register can be built during the initial risk assessment process, often by interviewing the heads of different departments to identify all the assets they use. While the level of detail can vary, a basic template includes the:
- asset category,
- type,
- location, and
- additional details. The categories of assets can be broken down further into primary and secondary assets, with primary assets including business processes and information, and secondary assets including hardware, software, networks, and personnel.
Building and maintaining a comprehensive asset register is more than just a task; it’s a foundational strategic activity. By clearly defining and documenting all your ICT assets, both tangible and intangibl, an organisation gains the clarity needed to identify vulnerabilities and understand the potential impact of a threat.
This knowledge is the starting point for all other risk management activities, ensuring that security efforts are not scattered but are instead focused on protecting what is most valuable to the business. In essence, the asset register transforms the concept of “risk” into a tangible, manageable process, paving the way for a resilient, well-defended infrastructure.