Is Your Information and Data Counted as a Business Asset? 

In his book Infonomics (2018), Douglas B. Laney makes the observation that while information is not recognised as a balance sheet asset, andit is therefore not managed like one. Although there is much talk about ‘information being an asset,’ many leaders don’t fully embrace this concept enough to act accordingly. So, the question arises: Is the information at your organisation counted as an asset? 

Here in NSW, authorities have made efforts to emphasise the importance of treating information as a business asset. When the new Standard 12 Standard on Records Management was first released in 2015 by the State Archives and Records Authority, the language had noticeably shifted. The introduction to Standard 12 highlights that “Records and information are at the core of government business and are core assets.” 

This shift in perspective is crucial. Anyone who has tried to run an information and records management program from a compliance angle knows how difficult it can be to make it stick. Often, colleagues feel directly responsible for their service provision, viewing the information inputs and outputs of their work as by-products rather than as key organisational assets. Compliance alone is rarely enough to motivate them to go the extra mile in managing these records properly. 

However, if colleagues start to see the information they generate as intrinsically valuable to the organisation—as a true business asset—good practices are more likely to follow. This mindset shift is where the Information Asset Register (IAR) comes into play. 

What is an Information Asset Register? 

An Information Asset Register (IAR) is a crucial tool for cataloguing and managing your organisation’s information assets. In its simplest form, an IAR is a list of all the information assets your organisation holds, whether they are digital assets or paper records. The IAR helps organisations keep track of these assets, including details like their asset status, format, location, information asset owner, and associated security measures. 

In larger organisations, maintaining an accurate IAR is vital for operational efficiency and risk management. It ensures that sensitive information, such as sensitive personal data or special category data, is protected according to industry standards and legal requirements like the General Data Protection Regulation (GDPR). 

Why You Need an Information Asset Register 

Establishing an Information Asset Register is the first step in recognising information as a critical business asset. Without an IAR, it’s difficult to manage your organisation’s information effectively or to conduct thorough risk assessments. An IAR serves as a catalogue of the information you hold, enabling you to identify and protect high-risk assets—those that could cause significant harm if compromised. 

Moreover, an IAR is not just about listing assets; it’s about understanding the business need for each asset, assessing its value, and determining the lawful basis for its processing. For example, if you’re handling personal information or sensitive data, your IAR can help you establish whether you have a legitimate interest in keeping that data and ensure that it’s handled lawfully and securely. 

Key Components of an Information Asset Register 

A comprehensive Information Asset Register typically includes the following components: 

  1. Information Asset Owner: Each asset should have a designated owner responsible for its management and security. The information asset owner is typically someone in a senior position who understands the value and risks associated with the asset. 
  1. Asset Status: This indicates whether the asset is active, archived, or scheduled for disposal. Keeping the asset status up to date is crucial for maintaining an accurate asset register. 
  1. Security Measures: Document the security measures in place to protect each asset, particularly those that contain sensitive information. This might include encryption, access controls, and physical security for paper records. 
  1. Location: Whether the asset is stored on-premises, in the cloud, or on mobile devices, its location should be clearly documented. 
  1. Risk Assessments: Regular risk assessments are essential to identify potential vulnerabilities and ensure that security measures are adequate. 
  1. Sensitive Data: Clearly identify and classify any sensitive data or special category data to ensure it receives the necessary protection. 
  1. Lawful Basis and Legitimate Interest: For each information asset, document the lawful basis for processing the data and whether there is a legitimate interest in keeping it. 
  1. Periodic Review: Conduct a periodic review of the IAR to ensure that all information is current and accurate. Regular updates help to prevent data becoming outdated or irrelevant. 

Building Your Information Asset Register 

Creating an IAR can be straightforward, but it requires careful planning and collaboration across departments. Here are seven steps to help you build your own Information Asset Register: 

  1. Make the Case: Start by explaining the benefits of the IAR from a governance, strategic, and operational perspective. Highlight how the IAR can help address data management challenges, enhance operational efficiency, and mitigate risks, including potential data breaches. 
  1. Define Your Scope: Determine the scope of your IAR based on your organisation’s size, the number of assets, and your capacity to manage them. Use asset register examples from similar organisations to guide you in determining the level of detail required. 
     
    Here are some common/important fields to consider:

    – Format/s
    – Status
    – System/Location
    – Third Party Linkage
    – Personal Information
    – Risk Rating
    – Information Sensitivity
    – Retention Requirements
  1. Link the IAR to Business Priorities: Ensure that your IAR aligns with your organisation’s priorities. For example, connect the risk assessments in your IAR with your existing risk management frameworks, and tie information security measures to your broader security strategy. 
  1. Prioritise High-Value and High-Risk Assets: Focus first on identifying and cataloguing assets that are critical to your business operations and those that pose the greatest risk if compromised. These might include sensitive personal data, financial records, and digital assets. 
  1. Gather Your Sources: Start by compiling information from existing fixed asset registers, systems inventories, and physical audits. Use these as a basis for identifying information assets across the organisation. 
  1. Host IAR Workshops: Engage with key stakeholders, including IT, legal, and data management teams, to help populate the IAR. Emphasise the importance of the IAR in maintaining information security and operational efficiency. 
  1. Define the Audience and Assign Responsibility: Clearly define who will use the IAR and assign information asset administrators to manage it. These individuals will be responsible for keeping the IAR up to date, ensuring that periodic reviews are conducted, and that any changes in asset status are documented. 

Maintaining and Updating Your Information Asset Register 

An Information Asset Register is a living document. It requires ongoing management and periodic updates to remain effective. Assign responsibility to a dedicated team or individual who can oversee the IAR and ensure that it remains accurate and up to date. Regularly review the IAR to accommodate changes in your organisation’s information assets, such as new data sources or changes in data processor relationships. 

Additionally, it’s important to integrate the IAR into your organisation’s broader information security and risk management strategies. This integration ensures that the IAR is not just a static list but a dynamic tool that contributes to the overall security and efficiency of your organisation. 

Conclusion 

Treating information as a business asset is more than just a good idea—it’s an essential practice for modern organisations. By implementing and maintaining an Information Asset Register, you can ensure that your organisation’s information assets are well-managed, secure, and aligned with both business and regulatory requirements. Whether you’re dealing with digital assets, paper records, or mobile devices, an IAR helps you track and protect these valuable resources, enhancing your organisation’s operational efficiency and information security. 

At Recordkeeping Innovation, we understand the importance of managing your information assets effectively. Our team can assist you in developing a comprehensive Information Asset Register tailored to your organisation’s needs, helping you safeguard your sensitive information and achieve compliance with industry standards like ISO 27001. Contact us today to learn more about how we can support your information governance initiatives. 

Related Articles

Selecting a vendor-neutral consultant for your information and records management needs ensures that the advice and solutions you receive are solely in your organisation’s best interests, without any bias towards

As organisations incorporate artificial intelligence (AI) into their operations, records managers need to understand its impact on information management. Generative AI, in particular, is transforming the field by enhancing capabilities

In the last part of our Microsoft 365 (M365) series we looked at retention labels. While event-based retention is possible in the M365 environment through retention labels, it requires additional steps on the part of