Skip to main content
Have a Question?
< All Topics
Print

Asset Management Policy Template

Posted
Updated
ByCyber Ready

Asset Management Policy Template

Introduction

Purpose and Use

Information assets such as hardware, software, data and intellectual property are valuable resources that require proper management throughout their lifecycle. This policy template outlines the process for identifying, classifying, protecting and disposing of organisational assets. It aims to ensure that assets are accounted for, appropriately safeguarded, and handled in accordance with Cyber Essentials, ISO/IEC 27001, and UK GDPR requirements.

Use this template to develop an Asset Management Policy tailored to your organisation’s size, structure and risk profile. It should be adapted to reflect your specific asset types (e.g. devices, servers, data sets) and legal obligations.

Who This Template Is For

  • Asset owners and custodians responsible for managing hardware, software and data.
  • IT and security managers tasked with asset inventory and protection.
  • Organisations pursuing ISO/IEC 27001 certification or compliance with Cyber Essentials and UK GDPR.

Alternative Names You Might See

  • Asset Inventory Policy
  • Information Asset Management Policy
  • IT Asset Policy

Asset Management Policy Template

1. Document Management

  • Organisation Name: [Insert organisation name]
  • Document Owner: [Role/title responsible for the policy]
  • Version: [e.g. 1.0]
  • Classification: [e.g. Internal / Public / Confidential]
  • Issue Date: [Date of current issue]
  • Next Review Date: [Date for next review]
  • Supersedes: [If applicable, previous versions]
  • Approval: [Senior management approval]
  • Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

  1. Establish a framework for the management of organisational assets throughout their lifecycle.
  2. Ensure that assets are identified, inventoried, classified and protected according to their value and sensitivity.
  3. Support compliance with UK GDPR, Data Protection Act 2018, ISO/IEC 27001 and Cyber Essentials.
  4. Provide guidance on the secure disposal and sanitisation of assets to prevent unauthorised disclosure.

3. Scope

This policy applies to:

  • All tangible and intangible assets owned, leased or controlled by the organisation, including hardware, software, data, intellectual property and documentation.
  • All employees, contractors and third parties who handle or manage organisational assets.
  • The entire lifecycle of assets, from acquisition and deployment through to disposal.

4. Roles and Responsibilities

4.1 Senior Management / Board

  • Approve the Asset Management Policy and ensure necessary resources are provided for asset management activities.
  • Support enforcement of asset management procedures and hold asset owners accountable.

4.2 Asset Owners / Custodians

  • Identify and register assets under their control in the organisation’s asset inventory.
  • Classify assets based on sensitivity and value.
  • Ensure assets are adequately protected and used in line with policy requirements.
  • Report changes in asset status (e.g. transfer, disposal) to the IT/security function.

4.3 Information Security / IT Function

  • Maintain the central asset inventory and provide tools for recording asset information.
  • Develop procedures for asset labelling, classification, movement and disposal.
  • Conduct periodic audits to verify the accuracy of the asset inventory.

4.4 All Users

  • Use assets in accordance with the Acceptable Use Policy and any asset-specific guidelines.
  • Do not remove or dispose of organisational assets without proper authorisation.
  • Report lost, stolen or damaged assets immediately.

5. Asset Inventory and Classification

5.1 Asset Identification

  • All assets must be uniquely identified and recorded in a central asset register.
  • Asset records should include ownership details, location, configuration, associated data classification and lifecycle status.

5.2 Asset Classification

  • Assets should be classified according to their sensitivity and criticality (e.g. public, internal, confidential, restricted).
  • Classification must determine the level of protection, handling and access controls applied to the asset.
  • Classification labels should be clearly marked on physical assets where appropriate.

5.3 Asset Ownership and Responsibility

  • Each asset must have a designated owner responsible for its management.
  • Owners are accountable for ensuring that security controls commensurate with the asset’s classification are implemented.

6. Asset Lifecycle Management

6.1 Acquisition and Deployment

  • Asset acquisition must follow approved procurement processes and align with organisational security requirements.
  • New assets should be recorded in the inventory upon receipt and configured according to security standards before deployment.

6.2 Use and Maintenance

  • Assets should be maintained in accordance with vendor recommendations and internal standards (e.g. patch management, updates).
  • Periodic reviews should confirm that assets remain fit for purpose and that classification remains appropriate.

6.3 Transfer and Reassignment

  • Any transfer of assets must be documented and approved by the asset owner.
  • Transfers should be recorded in the asset register, updating location and responsible parties.

6.4 Disposal and Sanitisation

  • Disposal of assets must comply with the Data Destruction / Media Sanitisation Policy.
  • Sensitive data must be irretrievably erased or rendered unreadable before disposal.
  • Disposal should be documented with details of method and authorisation.

7. Inventory Review and Audit

  • The asset inventory must be reviewed and reconciled at least annually to ensure accuracy and completeness.
  • Discrepancies must be investigated and resolved promptly.
  • Audit results should be reported to senior management.

8. Training and Awareness

  • Asset owners and users must receive training on asset management procedures, including classification, labelling and disposal requirements.
  • Awareness programs should highlight the importance of accurate asset records and the risks of untracked assets.

9. Exceptions

  • Any exceptions to this policy must be formally documented, justified, and approved by senior management.
  • Exceptions should be reviewed periodically to ensure they remain valid.

10. Policy Communication

  • This policy must be communicated to all staff and made available on the organisational intranet or Knowledge Base.
  • Updates should be distributed when significant changes occur in asset management procedures or regulatory requirements.

11. Supporting Policies and Standards

  • Information Security Policy – overarching framework for protecting information assets.
  • Data Classification Policy – defines how information should be classified and handled.
  • Acceptable Use Policy – guidelines on appropriate use of organisational resources.
  • Data Retention & Disposal Policy – defines how long data is retained and how it is disposed of.

12. Policy Add‑ons

Consider including additional procedures based on organisational needs:

  • Hardware Asset Tagging Standards – specifying how asset tags are affixed and recorded.
  • Software Asset Management (SAM) – processes for managing software licences, updates and compliance.
  • Vendor Asset Management – guidelines for assets provided by third-party vendors or managed services.

Use this template as a starting point and adapt it to your organisation’s needs. Regularly review and update the policy to reflect changes in asset portfolio, risk landscape and regulatory requirements.

Tags:
Table of Contents