CHAPTER 4:
ASSET OWNERS

According to ISO27001, every asset has an owner.⁷

The term ‘owner’ is not meant to convey legal ownership of the asset to the individual and is defined (4.2.1 - d1, footnote 2) as the ‘individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets’. This could therefore be a system administrator or a manager who is responsible for defining how an asset or group of similar assets is used.

The owner of the asset is the person – or part of the business – who is responsible for the appropriate classification and protection of the asset. In real terms, allocating ownership to a part of the organization can be ineffective, unless that part has a clearly defined line of responsibility and individual accountability in place.

There may be a number of assets that have users, or custodians, who are not the nominated ‘owners’ of the asset: for instance, the operating system is likely to be owned by the system administrator, but it will be deployed on workstations throughout the organization and will be used by workstation users. The system administrator will in this instance be responsible for the security (which includes availability, as well as confidentiality and integrity) whereas the users are not accountable for these

aspects. It may well be that, as a result of the risk assessment, specific controls (eg, user access agreements) are imposed on the users.

While the ISO27001 project manager and the Lead Risk Assessor (who may be the same person) will structure, guide and manage the risk assessment process, asset owners are likely to be responsible for:

They will definitely be responsible for:

finally, subject to the risk assessment methodology being deployed, they may be responsible for,