Asset Registration
IRAP assessment requires a clear asset inventory. Register your systems and assets so evidence maps correctly to ISM controls and assessors can see what's in scope.
Why Assets Matter
- Assets define the boundary of your IRAP assessment
- Evidence is collected against registered assets
- Unregistered assets won't have automated evidence
- Your asset register is a compliance artefact itself
Assessors expect to see a maintained asset register.
Asset Types
| Type | Examples |
|---|---|
| Cloud Resources | EC2 instances, S3 buckets, RDS databases, Lambda |
| Hardware | Laptops, servers, network equipment, mobile devices |
| Software / SaaS | Applications, services, third-party tools |
| Data Stores | Databases, file shares, document management |
Automatic vs Manual Registration
Automatic Collection
- Integrations collect assets during pipeline runs
- GitHub: repositories as assets
- Mosyle: managed devices as assets
- AWS: cloud resources as assets
Manual Registration
- Navigate to Assets → Add Asset
- Enter name, type, and data classification
- Optionally link to a system
- Add metadata (owner, location, provider details)
Data Classification
| Level | Description | Example |
|---|---|---|
| UNOFFICIAL | Public information | Marketing website |
| OFFICIAL | Routine business | Internal tools |
| OFFICIAL: Sensitive | Requires safeguards | Customer data, HR records |
| PROTECTED | High business impact | Financial systems, PII stores |
Most IRAP assessments target OFFICIAL: Sensitive. Set this as default unless you know otherwise.
Linking Assets to Systems
- Assets belong to systems
- Systems run pipelines that collect findings and evidence
- Organise assets by application or service boundary
- One system can have many assets
Maintaining Your Register
- Run pipeline scans regularly to refresh automated assets
- Update manual assets when infrastructure changes
- Archive decommissioned assets (don't delete — maintains audit trail)
- Review classifications when data handling changes