Asset Management Policy - SME

The Asset Management Policy P12S is designed specifically for small and medium-sized enterprises (SMEs), recognizing the unique challenges these organizations face in managing information assets with limited technical and staffing resources. Reflecting ISO/IEC 27001:2022 and other international standards, this policy sets forth a clear and practical framework for identifying, tracking, protecting, and retiring both physical and digital business assets throughout their lifecycle. The policy applies enterprise-wide, including to hardware (laptops, phones, USBs), software (applications, SaaS solutions), data repositories, access devices (smartcards, fobs), and critical digital credentials and services that underpin daily operations. All stakeholders, employees, contractors, third parties, handling the organization's assets are covered. The policy is sensitive to all forms of modern work: office-based, remote, hybrid, mobile, and cloud. This broad scope ensures that assets are not only tracked but also accounted for in various environments where business is conducted. A core objective is to establish and maintain a continually updated, accurate inventory of these assets. Each asset must have a clearly assigned owner who is responsible for its custody and secure handling. Asset classification is emphasized: devices storing customer or sensitive business data receive additional security controls and tracking. Importantly for SMEs, all procedures use manageable, role-based responsibilities. The General Manager (GM) has overall accountability. An IT Lead (or other designated custodian) is tasked with day-to-day record keeping, while line managers and employees support asset assignment, safekeeping, and recovery processes. This role simplification ensures effectiveness even when organizations do not have dedicated security or IT managers. The policy strictly details requirements for asset issuance, return, maintenance, labeling, and secure disposal. Cloud and virtual assets are fully included in the approach, as are BYOD (Bring Your Own Device) circumstances if technically approved. Exceptions (like informal equipment sharing) are also addressed, requiring GM approval and temporary compensating controls for any deviations. Governance processes are practical: structured inventories must include fields for asset ID, type, status, ownership, and more. Access to the inventory itself is tightly controlled and subject to regular audits, both physical and digital. Spot-checks occur at least every six months, and the policy itself is reviewed annually or upon the introduction of new technologies, regulatory requirements, or following an incident or audit finding. Non-compliance can lead to disciplinary actions, emphasizing the importance of secure and responsible stewardship of the organization’s assets. This is a ClarySec SME policy, meeting ISO/IEC 27001:2022 compliance but specifically adapted for organizations without high IT or security headcount. Responsibility lines are simplified but still maintain full traceability, audit capability, and regulatory alignment under standards such as GDPR, DORA, and NIS2.