How to create an Information Asset Register

An Information Asset Register (IAR) is a simple way to help you identify and manage your organisation’s information assets - and the risks to them.

Information is valuable. So, you should know and fully understand what information your organisation holds. This will help you to protect the information and exploit its potential.

Under the new General Data Protection Regulation (GDPR) and proposed UK Data Protection bill, the law will need you to evidence how your organisation processes personal data, from collection to disposal.

Therefore, an information asset register is an essential tool in your information assurance and digital compliance toolbox.

The value of an Information Asset Register

An IAR is a key tool for fully exploiting your organisation’s information assets. It helps find areas of data duplication and encourages greater efficiency. You can use it to spot areas of potential risk – e.g. loss of personal data. By understanding the nature of your information and where it’s held, you can manage these risks more easily.

Creating an IAR

Your organisation may already have an old IAR or other asset list which you can adapt. If not, start by listing all the information assets you can think of, noting down what each one does and where it’s kept. Your first draft may not be a complete record of every asset held by your organisation but an approximate list on which you can build.

Identifying key assets

Think about what would happen if you lost access to the assets in your register. If the consequences are severe – e.g. your organisation couldn’t function without it – this means it’s a key asset. These are critical to your organisation but don’t always contain the most sensitive information. Include key assets as a column on your IAR so you can identify them quickly.

Describing assets

There are a number of useful fields which you should record in  your IAR – e.g. for how long you should keep information assets, who can use them and whether they contain personal data. You can describe and manage assets at a system level if the information contained within the system is the same – e.g. a purchase order database.

If your systems contain various types of information with different values, risks and sensitivities, you should note each as a separate information asset.

Identifying owners of the information asset

You should appoint an Information Asset Owner (IAO) for each asset. This is the person responsible for making sure that your organisation monitors the risks to, and the opportunities for, the asset. The creator or primary user of the asset isn't necessarily the IAO. But they must understand its value to the organisation.

Maintaining and updating IAR

Keeping your IAR simple will encourage regular updating. Use our online Compliance Management Tool as a guide. We recommend that you review the IAR at least once a year. Yet ideally IAOs should check the assets they are responsible for every six months to keep the IAR relevant to the organisation. This works best if the IAR is fully integrated into your corporate governance structure.

Define a permanent owner of the IAR itself (and not the information described within it) who will set out maintenance requirements. For example, if a department has prepared an information asset register for the Re-use of Public Sector Information Regulations 2005, it should publish the contents.

Further information

You can subscribe to E RADAR's MyCyberRisk™ compliance management platform (which includes an online Information Asset Register).