Undertake an information asset audit to identify what information assets are held.  The identified information assets must be linked back to the business activities and functions by your agency.

Relationship to the Information Management Standard

Under the Information Management Standard (Standard), your agency must identify:

• what information assets it holds (Behaviour 1.1), and
• how those information assets relate to your agency’s business functions and activities (Behaviour 1.3).

This will ensure your agency is making and maintaining full and accurate information assets appropriate to your business processes, regulatory environment and risk and accountability requirements (Behaviour 4.1).

Conducting an information asset audit will assist your agency to meet Behaviour 1.1 and support your agency in meeting Behaviour 1.3 and 4.1.

What is an Information Asset Audit?

An information asset audit is a survey to:

• identify what information assets exist in your agency and
• evaluate how these assets support your agency’s business requirements.

This is different from appraisal which is the process of deciding what information assets should be made and kept, based on a value and risk assessment.

One of the purposes of conducting an information asset audit is to compile a comprehensive information asset register (asset register).  An asset register identifies what information resources exist across your agency and provides stakeholders with an overview of the information assets under your agency’s control.

Conducting an Information Asset Audit

Preparation

Before conducting an information asset audit determine:

• the scope of the audit, for example prioritise core business functions, business-critical assets (such as assets which hold information vital to the survival of your agency, or without which your agency could not operate), high-profile work units, identified areas of risk or agency-wide.
• how it will be conducted, such as through interviews and focus groups, business unit staff completing a questionnaire or business units completing a proforma asset register.
• how to identify an information asset. An information asset is not usually a single item.  It should be recognisable to the business users as an identifiable collection of information, where a collection is a set of like or related information.  For example, personnel files, a contracts database, customer management data, a group of policies and procedures, or in the case of single items an asset register, complaints register or a password register.

Applications, such as an EDRMS, that collect, manage or store information are not legally considered information assets.  However, the information they contain is.  For information security purposes applications might be treated as an information asset, as the software itself requires protection.

A single system may hold multiple types of information assets.  For example, a single system in a Council may have modules for rates, accounting, property, etc., each of which are separate information assets.

Check relevant sources to locate existing information assets, such as:

• previous information audits, including information security audits
• recordkeeping systems including registers of repositories for physical storage such as agency-run storage facilities, approved service providers or State Records
• information sharing agreements including Memoranda of Understanding (MOUs) and contracts
• approved operational Records Disposal Schedules
• ICT technical environment lists and systems registers
• Cyber security information asset registers required by the South Australian Cyber Security Framework (SACSF)
• lists of information required to be reported externally and internally.

Prepare initial list of people / business units to approach, such as staff who may be able to help identify and value information assets.

Conduct the Information Asset Audit

An information asset audit can be conducted by:

• reviewing the documentation obtained from your research of relevant sources
• interviewing selected staff to obtain information asset profiles
• sighting information assets and / or systems where required
• acquiring any additional documentation relating to information assets and / or systems.

It is recommended the audit be conducted by a staff member with information management experience and corporate knowledge in consultation with other relevant areas, such as ICT and governance.

Record and collate data into an asset register and analyse results.  Create the asset register in a format such as a spreadsheet which enables data to be extracted for analysis, reporting or other purposes.

Fields may include:

• type of record
• description
• business owner
• start date, and end date for legacy systems
• format, including copies
• location of the information (physical, digital, onsite, with a third party provided (within Australia or offshore))
• legislative or contractual context
• system context, including interdependencies or previous migrations
• disposal coverage
• business value and criticality
• confidentiality, integrity and availability requirements
• risks.

Review and finalise the asset register. This can be done by asking the nominated staff to review and validate the list relating to their business unit or provide further information as required.

Your agency may already have an existing register that references some or all of your agency’s information assets, such as a Cyber Security Information Asset Register.  Where a register already exists, it is recommended these registers be combined, if possible and appropriate, or at least be linked to one another.

Plan to review the asset register both routinely and as more information assets are created, found or discontinued.  A review should also be conducted when systems, software and media are upgraded or become obsolete.

Outcomes of an Information Asset Audit

The information asset audit will produce an asset register that will enable a clear understanding of what information assets are held by your agency.

The asset register will form part of the value and risk assessment you will need to complete to inform the value of the information your agency holds.