Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
ISMS

Asset Management with Lifecycle Tracking: The Foundation of Every ISMS

SecTepe Editorial
|
|
6 min read

Every ISMS tool is born with the same finding: the asset inventory is outdated, incomplete, inconsistent. ISO 27001 A.5.9 requires a complete record of information assets, BSI IT-Grundschutz builds the entire modelling on top of it, NIS-2 demands risk evaluations per asset. Anyone without inventory control has no ISMS control.

What an "Asset" Even Is in the ISMS Context

Asset is not the same as hardware. In the ISMS context, this includes:

  • Information assets: databases, files, documents – sorted by classification.
  • Software assets: applications, licenses, cloud subscriptions, open-source libraries (SBOM).
  • Hardware assets: servers, notebooks, mobile devices, IoT sensors, switches.
  • Service assets: internal and external services (e.g. a mail service as a logical asset, supported by hardware/software/personnel).
  • People assets: key persons with special knowledge or special privileges.
  • Supplier assets: critical processors and third parties.

Lifecycle Phases That Linger in Every Audit

  1. Acquisition: procurement with security requirements.
  2. Operation: active operation with configuration and patch management.
  3. Maintenance: regular maintenance, update cycles.
  4. Decommissioning: secure data deletion, hardware destruction with certificate.

Classical audit finding: phase 4 is not documented. Notebooks "disappear" at end-of-life, data destruction certificates are missing.

What SecTepe.Core Does Differently

  • Lifecycle workflow: every asset state change (e.g. operation → decommissioning) enforces a workflow with data deletion evidence upload.
  • Protection requirement determination: per asset, confidentiality, integrity, availability are rated on a three-tier scale (BSI-conformant), automatically propagated to dependent assets.
  • Owner assignment: every asset has an owner (responsible) and a custodian (operational); changes are recorded in the audit log.
  • Dependency graph: a database server supporting a critical mail service is automatically classified as "critical".
  • Auto-discovery: optional connectors to Active Directory, Hyper-V/vCenter, AWS tags, Kubernetes namespaces – the inventory is half-automatically populated instead of manually.

Integration with Other ISMS Modules

An asset without reference to risks, controls, and reviews is just a card in an asset database. SecTepe.Core links:

  • Risk module: every asset has a risk matrix with likelihood and impact per threat.
  • Control mapping: ISO 27001 controls are referenced to asset classes (e.g. A.8.20 networks security to all network assets).
  • Review cycle: annual asset review with owner notification – see review cycle management.
  • BCDR plan: critical assets get an RTO/RPO entry and a linked recovery plan.
  • IVDB linkage: in German SHI, procedures from the IVDB are imported as an asset class.

Common Pain Points and How We Address Them

  • "Excel reality": 80 % of inventory today sits in Excel. Answer: CSV/Excel import wizard with conflict detection.
  • "Who owns this?": owner assignment is enforced at onboarding via workflow (no asset without owner).
  • "Stale data": annual review cycle with escalation if owner doesn't react.
  • "Scaling": 10,000 assets are no problem in a Postgres table; bulk operations and tag-based filters keep the UI usable.

Conclusion

Asset management is the most unspectacular but most audit-critical discipline in the ISMS. Anyone with inventory under control has done 50 % of the ISMS work – anyone without fights follow-up findings in every other discipline at every audit. A platform that holds lifecycle, protection requirement, owner, and dependencies as an integrated model saves the typical 200 person-hours per audit preparation.

View all articles More in this category