Asset Management & Information Classification Policy
Document Number: ISMS-POL-ASM-01
Classification: L1 — Policy (Domain)
Version: 0.1.2
Effective Date: February 20, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
1. Purpose
This policy defines the requirements for identifying, classifying, managing, and protecting information and associated assets throughout their lifecycle within Cybercraft.
It ensures that all information assets are inventoried, assigned ownership, classified according to their sensitivity, and subject to appropriate controls proportionate to their value and risk.
2. Scope
2.1 Applicable Assets
- Information assets: All digital data processed, stored, or transmitted in the course of Cybercraft business — including client data, internal documents, source code, configuration data, credentials, and intellectual property
- Supporting assets: SaaS platforms and cloud services (M365, AWS, third-party SaaS tools)
- Endpoint devices: BYOD devices enrolled in Intune management (governed by BYOD Security Policy, ISMS-POL-BYOD-01)
- Physical assets: CA100 Appliances deployed at client sites (ISMS scope: TBD — see §3.4)
2.2 Out of Scope
- Test devices used for technical validation only (no corporate data stored)
- Personal data and apps on BYOD devices outside the Managed Volume / MAM boundary
- Client-owned infrastructure and systems (governed by client engagement agreements)
3. Information Asset Categories
Cybercraft operates a 100% cloud-based, Work from Anywhere (WFA) model with no physical offices, servers, or network infrastructure. Asset categories reflect this environment.
3.1 Cloud Platform Assets
| Category | Examples | Primary Control |
|---|---|---|
| M365 Tenant | Exchange, SharePoint, OneDrive, Teams, Entra ID | M365 Workspace & Access Policy (M365 Workspace & Access Policy, ISMS-POL-M365-01) |
| Third-Party SaaS | Notion, GitHub, Figma, AI tools | Application & Data Governance Policy (Application & Data Governance Policy, ISMS-POL-ADG-01) + Supplier & Third-Party Security Policy (Supplier & Third-Party Security Policy, ISMS-POL-STP-01) |
| Cloud Infrastructure | AWS (HVT), Cloudflare, Vercel | Supplier & Third-Party Security Policy (ISMS-POL-STP-01) |
3.2 Data Assets
| Category | Classification | Location | Governing Policy |
|---|---|---|---|
| Client engagement data | Confidential | M365 Private Channels | ISMS-POL-M365-01 §3 |
| Internal strategy, contracts, financials | Confidential | M365 Private Channels | ISMS-POL-M365-01 §3 |
| General business documents | General | M365 Standard Channels | ISMS-POL-M365-01 §3 |
| Source code | Per project classification | GitHub | ISMS-POL-ADG-01 |
| Credentials & secrets | Confidential | Entra ID, Key Vaults | ISMS-POL-M365-01 §7 |
3.3 Endpoint Assets (BYOD)
- All employee devices are personally owned — Cybercraft does not own endpoint hardware
- BYOD devices are subject to platform-specific enrolment with different visibility:
- macOS (ADUE): Enrolled in Intune via Account-Driven User Enrollment — visible in Intune Devices inventory
- Windows (MAM-only): Not enrolled in Intune Devices — tracked via Entra ID Registered Devices and App Protection Policy (APP) reports
- The company's management jurisdiction is limited to the Managed Volume (macOS ADUE) and Managed Edge (Windows) — see BYOD Security Policy (BYOD Security Policy, ISMS-POL-BYOD-01) §6
- BYOD device inventory is maintained for access control purposes (compliance enforcement, offboarding, audit, stale device cleanup) — not as entries in the Information Asset Register. See Information Asset Identification — Standard Definition (🔒 정보자산 식별 표준정의서 (Korean Source), ISMS-STD-ASM-01) §6.5
3.4 CA100 Appliance Assets
CA100 Appliance — ISMS Scope: To Be Determined (TBD)
| Attribute | Detail |
|---|---|
| Ownership | Cybercraft-owned hardware, deployed at client sites |
| Data ownership | Client-owned data — Cybercraft acts as processor |
| Operation model | Remote management via Splashtop, data analysis and reporting |
| Decommissioning | Redkey full disk wipe (NIS standard) — at initial deployment and service termination |
If included in ISMS scope, additional controls required: Data Processing Agreement (DPA), remote access management procedure, and secure decommissioning procedure.
3.5 SaaS Category Classification
All SaaS platforms used for business purposes are classified into one of three categories based on the level of technical access control Cybercraft can enforce. This classification determines the applicable security controls and the types of data permitted on each platform.
| Category | Name | Classification Criteria | Technical Control Level |
|---|---|---|---|
| A | Platform | M365 native apps integrated directly with Entra ID | ✅ Full — MAM + CA + ADUE data isolation |
| B | SAML-Enforced | SaaS with Enforced SAML on the current licence plan (self-login disabled; all authentication via Entra ID) | ⚠️ Auth boundary — Enforced SAML + Conditional Access; no in-app MAM |
| C | Unmanaged | SaaS where Enforced SAML is unavailable on the current licence plan (SMB/Free tier or SAML not offered) | ❌ Policy only — no technical enforcement possible |
Category is determined by the licence plan, not the product. The same SaaS may be Category B on an Enterprise plan and Category C on a Free/Team plan. Re-evaluate whenever a licence plan changes.
Information classification linkage:
- Confidential data must only be processed on Category A or B platforms where technical access controls can be enforced
- General data may be processed on Category C platforms, subject to compensating controls (policy + user education + NDA)
- Category C platforms processing Confidential data require a documented risk assessment and CISO approval per the risk management process
SaaS Category assignment is recorded in the Information Asset Register (§4) under the SaaS Category property. Category-specific technical controls and account governance requirements are defined in Application & Data Governance Policy (Application & Data Governance Policy, ISMS-POL-ADG-01).
4. Information Asset Register
4.1 Register Requirements
Cybercraft shall maintain an Information Asset Register that records:
- Asset name and description
- Asset category (per §3)
- Owner (per §5)
- Classification level (per §6)
- Storage location and access method
- Applicable security controls and governing policy
The register is maintained at: Information Asset Register (ISMS Documentation / 06-Asset Management)
4.2 Register Update Triggers
| Trigger | Action | Owner |
|---|---|---|
| New SaaS tool adoption | Add to register, classify, assign owner | Security Director |
| Personnel change | Review ownership assignments | Security Director |
| Client engagement start/end | Review client data assets | Security Director + CEO |
| Annual management review | Full register review | Security Director + CISO |
4.3 Asset Discovery Methodology
Cybercraft's asset discovery operates on a contract-based acquisition model: all technology assets (SaaS, cloud services, infrastructure) enter the environment through deliberate procurement or administrative registration. This makes the primary discovery channel the onboarding process itself, not periodic scanning.
4.3.1 Technology Asset Discovery (SaaS / Cloud Services)
Primary discovery channel: Admin Consent Workflow in Entra ID.
- User Consent is disabled — users cannot independently register third-party applications
- All new SaaS integrations require administrator approval via the Admin Consent Workflow
- Each approval event is a natural trigger to evaluate whether the application qualifies as an asset per the Information Asset Identification — Standard Definition (🔒 정보자산 식별 표준정의서 (Korean Source), ISMS-STD-ASM-01) §4.1
Separate periodic SaaS discovery procedure is unnecessary. With User Consent blocked and Admin Consent Workflow active, no SaaS application can enter the environment without administrator awareness. The Admin Consent Workflow serves as a continuous, real-time discovery channel. Legacy application cleanup is a one-time remediation activity — see Entra ID Enterprise Applications Governance (Entra ID Enterprise Applications Governance — SaaS Consent Controls and Inventory Cleanup) §7.
4.3.2 Endpoint Device Discovery
BYOD device discovery is handled through platform-specific management channels:
- macOS (ADUE): Intune Devices inventory
- Windows (MAM-only): Entra ID Registered Devices + App Protection Policy (APP) reports
Periodic review of registered devices is performed as part of the Device Lifecycle Procedure (Device Lifecycle Procedure, ISMS-PROC-BYOD-01) §6 review cycle.
4.3.3 Reference
For detailed asset identification criteria, discovery entry points, and registration decision logic, see Information Asset Identification — Standard Definition (🔒 정보자산 식별 표준정의서 (Korean Source), ISMS-STD-ASM-01).
5. Asset Ownership
5.1 Ownership Principle
Every information asset must have a designated owner responsible for:
- Ensuring appropriate classification
- Approving access to the asset
- Ensuring controls are applied and effective
- Reviewing access rights periodically
5.2 Default Ownership
| Asset Type | Default Owner |
|---|---|
| M365 tenant and Entra ID | Security Director (Lucas Shin) |
| Client engagement data | CEO (Farah Herbert) |
| Third-party SaaS accounts | Security Director |
| Source code repositories | Security Director |
| Security policies and ISMS documentation | Security Director |
| CA100 Appliances | Security Director |
5.3 Ownership Review
- Asset ownership is reviewed annually as part of the management review
- Ownership must be reassigned within 5 business days of a personnel change affecting the current owner
6. Information Classification
6.1 Classification Scheme
Cybercraft uses a two-level classification scheme as defined in M365 Workspace & Access Policy (M365 Workspace & Access Policy, ISMS-POL-M365-01) §3:
| Classification | Definition | M365 Minimum Requirement |
|---|---|---|
| Confidential | Data whose unauthorised disclosure would cause serious harm to Cybercraft, its clients, or partners | Must be stored in Private Channels |
| General | All other business data | Standard or Private Channels |
Confidential data must reside in Private Channels, but not all data in Private Channels is Confidential. Private Channels may also contain General data where access restriction is desired for operational reasons. The classification of data within a channel is determined by its content, not by the channel type.
6.2 Classification Principles
- Platform-enforced access control: Data access is enforced by the M365 channel structure ("Platform = Policy" principle). Confidential data must be placed in Private Channels to ensure technical access restriction
- Channel Owner responsibility: Each Team/Channel Owner is responsible for classifying and managing the data within their channel(s). This includes determining what data is appropriate for the channel, managing membership, and ensuring Confidential data is not placed in Standard Channels or channels with Guest access
- No manual labelling: Microsoft Purview Sensitivity Labels are not deployed at current organisational scale (3–5 person SMB). This decision is documented and reviewed annually
- Default classification: All data is General unless the Channel Owner determines otherwise and places it in an appropriately access-controlled Private Channel
- Guest collaboration channels: Channels with external Guest participants are treated as General by design — the act of enabling Guest access implies the Channel Owner has determined the data is suitable for external collaboration. Users must not share data beyond the channel membership, enforced through user education and M365 sharing policies
- SaaS data classification: Data permitted on third-party SaaS tools is governed by the SaaS Category assigned to each platform (§3.5). Confidential data is restricted to Category A or B platforms; General data may reside on Category C platforms with compensating controls
6.3 Classification Review
- Classification scheme adequacy is reviewed annually
- Review triggers include: exceeding 10 personnel, new regulatory requirements, or client contractual obligations requiring granular classification
7. Acceptable Use
Acceptable use requirements are distributed across domain-specific policies:
| Domain | Governing Policy | Key Sections |
|---|---|---|
| BYOD devices | BYOD Security Policy (ISMS-POL-BYOD-01) | §5 Acceptable Use |
| M365 platform | M365 Workspace & Access Policy (ISMS-POL-M365-01) | §3 Data Classification, §5 Teams Structure |
| Third-party applications | Application & Data Governance Policy (ISMS-POL-ADG-01) | Account governance, AI data sovereignty |
| Communications and media | Communications & Media Security Policy (ISMS-POL-COM-01) | Public disclosure, content security |
All personnel must comply with the acceptable use terms defined in these policies.
8. Return of Assets
8.1 Upon Termination or Role Change
When an employee leaves Cybercraft or changes role:
- Selective Wipe of all Managed Volume / MAM-protected data — executed by Security Director via Intune
- Account disable in Entra ID within 24 hours of termination notification
- Licence reclamation — M365 licence reassigned or removed
- SaaS account review — third-party SaaS accounts associated with the individual are transferred, archived, or deactivated per Application & Data Governance Policy (ISMS-POL-ADG-01)
- CA100 access revocation — Splashtop access removed if applicable
8.2 Cross-reference
- Offboarding process: Human Resource Security Policy (Human Resource Security Policy, ISMS-POL-HR-01)
- Device offboarding: Device Lifecycle Procedure
- Selective Wipe notice: BYOD Security Policy (ISMS-POL-BYOD-01) §6.5
9. Media Handling
9.1 Digital Media
Cybercraft's 100% cloud model eliminates the need for routine use of removable storage media.
- No removable media policy: USB drives, external hard drives, and other removable storage devices are not required for business operations
- If removable media is used in exceptional circumstances (e.g., CA100 Appliance deployment), all data must be securely erased after use (Redkey or equivalent)
9.2 Disposal
| Asset Type | Disposal Method |
|---|---|
| Cloud data | Deletion per M365 retention policies and SaaS provider data deletion procedures |
| CA100 Appliance | Full disk wipe using Redkey (NIS standard) |
| BYOD device (corporate data) | Selective Wipe removes corporate data; personal device disposal is user responsibility |
10. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.9 | Inventory of information and other associated assets | §3 (Asset Categories) + §4 (Asset Register, incl. §4.3 Discovery Methodology) |
| A.5.10 | Acceptable use of information and other associated assets | §7 (cross-ref ISMS-POL-BYOD-01 §5, ISMS-POL-M365-01 §3) |
| A.5.11 | Return of assets | §8 (cross-ref ISMS-POL-HR-01, BYOD-PROC-01) |
| A.5.12 | Classification of information | §6 (cross-ref ISMS-POL-M365-01 §3) |
| A.5.13 | Labelling of information | §6.2 — Platform-enforced classification replaces labelling (documented rationale) |
| A.5.14 | Information transfer | §7 (cross-ref ISMS-POL-COM-01, ISMS-POL-M365-01 §3.3) |
| A.8.26 | Application security requirements | §3.5 (SaaS Category Classification — application security requirements driven by SaaS Category framework) |
11. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-20 | Lucas Shin | Initial release — information asset categories (cloud/data/endpoint/CA100), register requirements, ownership model, two-level classification (cross-ref P1 M365), acceptable use (cross-ref delegation), return of assets, media handling |
| 0.1.1 | 2026-02-23 | Lucas Shin | Added §3.5 SaaS Category Classification (A/B/C framework). Updated §6.2 SaaS data classification principle to reference §3.5. Added A.8.26 to compliance mapping |
| 0.1.2 | 2026-02-25 | Lucas Shin | §3.3 BYOD platform-specific visibility clarified (macOS ADUE → Intune Devices; Windows MAM-only → Entra ID + APP reports). §4.3 Asset Discovery Methodology added — contract-based acquisition model, Admin Consent Workflow as primary SaaS discovery channel, User Consent disabled rationale documented, endpoint discovery channels. A.5.9 compliance mapping updated. Cross-references to Standard Definition (ISMS-STD-ASM-01) §4.1/§6.5 |
Review Schedule
- Annually: Full register review, classification scheme adequacy, ownership verification
- Ad-hoc: Upon new SaaS adoption, personnel changes, client engagement changes, or security incidents
[End of Policy Document]