Skip to main content

Part of Objective A – Managing risk

Principle A3: Asset management

Previous Chapter

Principle A2: Risk management

Current Chapter

Current chapter – Principle A3: Asset management

View all

Next Chapter

Principle A4: Supply chain
Page contents

A3.a Asset management

Description

Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

Expectation

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Inventories of assets relevant to the essential function(s) are incomplete, non-existent, or inadequately detailed.

NA#2. Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and operational technology).

NA#3. Information assets, which could include personally identifiable information and/or important/critical data, are stored for long periods of time with no clear business need or retention policy.

NA#4. Knowledge critical to the management, operation, or recovery of the essential function(s) is held by one or two key individuals with no succession plan.

NA#5. Asset inventories are neglected and out of date.

NA#6. Your information asset register (IAR) or registers are incomplete or out of date.

NA#7. Information asset owners and information asset administrators have not been appointed.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date. This includes maintaining an information asset register (IAR) which is reviewed and kept up-to-date.

A#2. Dependencies on supporting infrastructure (such as power and cooling) are recognised and recorded.

A#3. You have prioritised your assets according to their importance to the operation of the essential function(s).

A#4. You have assigned responsibility for managing all assets, including physical assets, relevant to the operation of the essential function(s).

A#5. Assets relevant to the essential function(s) are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.

A#6. You have appointed information asset owners and information asset administrators.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Asset inventory – review the organisation’s document(s) or tool(s) for cataloguing assets. Cataloguing may all be done in the organisation’s Information Asset Register, or may be achieved via a combination of the Information Asset Register with other documents and tools for different asset types. Obtain evidence to verify that the following criteria are met:

  1. Comprehensive coverage of the organisation’s information assets, hardware assets, software assets, connected medical devices, systems storing personal data and systems storing business and commercial data. (A#1) 
  2. Indication of the relevance of each asset to the organisation’s essential function(s). (A#1)
  3. Recognition of asset dependencies on supporting infrastructure. (A#2)
  4. A system of prioritisation that indicates which assets are most important to the operation of the organisation’s essential function(s). (A#3)
  5. An assigned staff member who is responsible for managing each asset, including information asset owners and administrators for information assets. Verify how the organisation has made these staff members aware of their roles and responsibilities. (A#4, A#6)

2. Managing with cyber security in mind - verify that the organisation is able to use its asset management procedures for security purposes, such as identifying anomalous or unsupported devices, cross-referencing vulnerabilities against devices and software on its networks, and ensuring suitable controls are applied wherever assets are reused, transferred or disposed of. (A#5)

Suggested documentation

Suggested documentation includes:

  • information assets register
  • other document(s) or tool(s) for cataloguing assets
  • evidence of consideration and prioritisation of essential functions
  • evidence of asset dependencies on supporting infrastructure being recognised
  • evidence of asset managers and owners being assigned
  • procedures for reviewing and updating asset inventories
  • evidence of asset management procedures facilitating effective cyber security

Last edited: 2 January 2025 12:00 pm

Previous Chapter

Principle A2: Risk management

Next Chapter

Principle A4: Supply chain

Chapters

  1. Objective A – Managing risk
  2. Principle A1: Governance
  3. Principle A2: Risk management
  4. Principle A3: Asset management
  5. Principle A4: Supply chain