This article provides additional information on how you can meet the requirement for the CAF control - A3.a Asset Management
All assets relevant to the secure operation of network and information systems must be identified and inventoried.
- Maintain an up-to-date asset register that records all assets required to deliver and protect your managed services. This should include:
- devices
- software
- cloud services
- data stores and supporting infrastructure.
- Each asset should have an owner responsible for ensuring that it is properly managed throughout its lifecycle. This includes onboarding new assets, keeping configurations aligned with security standards, and ensuring secure decommissioning and data sanitisation at end of life. Access to systems and assets is revoked promptly when an individual leaves the organisation or no longer requires it.
- Identify dependencies on supporting infrastructure such as power, cooling, hosting providers, connectivity and third-party platforms.
- Prioritise assets according to their importance to the continuity of essential functions.
- Review the asset inventory regularly.