Skip to main content

Part of Objective A - Managing risk

Principle: A3 Asset management

Previous Chapter

Principle A2 Risk management

Current Chapter

Current chapter – Principle: A3 Asset management

View all

Next Chapter

Principle: A4 Supply chain

A3.a Asset management

“Everything required to deliver, maintain or support network and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).”

Overview

This contributing outcome relates to you having an up-to-date and thorough understanding of your organisation’s assets, which includes all data and systems.

Mapping to the 23-24 DSPT framework

Under the previous 23-24 Data Security and Protection Toolkit (DSPT) framework, your organisation was required to perform activities which help meet the expectations of this contributing outcome.

For more detail on what these activities were, see the mapping exercise published by NHS England and Department of Health and Social Care (DHSC).

Identifying and documenting assets

All assets which are important to the operation of your essential function should be identified and documented. These include:

  • information assets
  • hardware assets
  • software assets
  • connected medical devices
  • systems storing personal data
  • systems storing business and commercial data

Information asset register

An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and used efficiently.  It can be a single document or a large data set. It could: 

  • be held electronically or on paper 
  • include personal data or not

Identifying and inventorying information assets is done via your organisation’s information asset register. You should maintain an up-to-date information asset register documenting the information assets your organisation holds, where they are located, how long they will be retained for and who holds responsibility. 

The template information assets and flows register produced by NHS England combines the information assets register with the record of processing activities (ROPA) into one document to reduce duplication. It contains all the categories of information that you should cover to uphold your legal data protection responsibilities, and therefore provides a useful reference point for your own internal information governance (IG) document templates and digital platforms that serve an information assets register/ROPA purpose. 

Maintaining an up-to-date information assets and flows register gives you an important tool for understanding what data your organisation holds and processes. It helps you to assess and mitigate risks to this data and is invaluable in the event of an incident where data is compromised or unavailable.

Hardware, software, connected medical devices and other assets

For your hardware assets and the software on them, a survey tool will help you catalogue your estate in detail without having to undergo an intensive manual review. You should be aware of the limitations of your chosen tool(s), for example, survey tools may not be able to track installed software.

There is not a singular prescribed method for how assets should be documented. However, at a minimum, your inventory of assets should include details of each asset’s:

  • type
  • location
  • software
  • owner
  • support and maintenance arrangements
  • nature and quantity of data 
  • criticality to the delivery of services
  • relevance to the NIS regulations (if appropriate)

Connected medical devices

You should also have a way of cataloguing your organisation’s connected medical devices. You can expand an existing register or create a new bespoke register for this purpose, which should include the following details:

  • all details you would include in your asset register
  • vendor
  • support and maintenance arrangements
  • any network segmentation in place and whether network access is given to supplier
  • network name 
  • internet protocol (IP) address (if static)

For systems holding personal information, it is likely that there will be some overlap between the asset inventory and your information assets and flows register.

The registers you hold should ideally be linked or synchronised and enhanced with products such as asset discovery tools.

For more information on connected medical devices, see NHS England guidance on procuring and deploying connected medical devices, protecting connected medical devices, and network segmentation architecture patterns for connected medical devices

Asset management

You should have an asset management process which ensures that: 

  • obsolete devices are identified and managed
  • vulnerabilities identified across the sector are cross-referenced against the devices and software on your networks
  • suitable controls are applied wherever assets are reused, transferred or disposed of (see B3.e Media/equipment sanitisation)

Assigning responsibility for managing assets

All assets should be assigned to an owner within the organisation who holds ultimate responsibility for managing them. 

The owner should understand:

  • where the asset is stored
  • what the asset is used for
  • how access to the asset is controlled
  • areas of potential risk – for example, loss of personal data
  • how the asset should be transferred or disposed of

Supporting evidence

To support your response, you can review and upload (or link to) any evidence which best demonstrates your achievement of the contributing outcome. This includes:

  • Information assets register  
  • Other document(s) or tool(s) for cataloguing assets 
  • Evidence of consideration and prioritisation of essential functions 
  • Evidence of asset dependencies on supporting infrastructure being recognised 
  • Evidence of asset managers and owners being assigned 
  • Procedures for reviewing and updating asset inventories 
  • Evidence of asset management procedures facilitating effective cyber security

This is not an exhaustive list. You are welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.

Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.

Interpreting indicators of good practice

Indicator of good practice Term Interpretation

A#1

All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up to date.

This includes maintaining an information asset register (IAR) which is reviewed and kept up to date.

 'essential function(s)'

Your essential functions should be identified in a scoping exercise which you carry out before beginning your DSPT submission. The same exercise should identify all the information, systems and networks which support your essential functions.

For more information, see guidance on scoping essential functions.

Additional guidance

For additional guidance, see:

National Cyber Security Centre CAF guidance | A3 Asset management
National Cyber Security Centre | Asset management
NHS England | Cyber security guidance for healthcare professionals procuring and deploying connected medical devices 
NHS England | Guidance on protecting connected medical devices 
NHS England | Network segmentation architecture patterns for connected medical devices

Mapping to other cyber frameworks

NHS England and DHSC have produced a mapping document showing where the requirements of the CAF-aligned DSPT overlap with those of other cyber frameworks. New frameworks will be added to this document over the course of the year.

Last edited: 18 December 2024 9:55 am

Previous Chapter

Principle A2 Risk management

Next Chapter

Principle: A4 Supply chain

Chapters

  1. Objective A - Managing risk
  2. Principle: A1 Governance
  3. Principle: A2 Risk management
  4. Principle: A3 Asset management
  5. Principle: A4 Supply chain