The ICT Asset Management module maintains a comprehensive inventory of all ICT assets supporting your organization's critical and important functions. This inventory is a core requirement under DORA Article 8 and supports risk assessment, business continuity planning, and third-party dependency mapping.
Asset List Page
The asset list provides a filterable, sortable view of all registered ICT assets.
Filters
| Filter | Options | Description |
|---|---|---|
| Search | Free text | Search by asset name, description, or location. |
| Asset Type | Hardware, Software, Network, Data, Cloud Service, Virtual Infrastructure, Endpoint, Other | Filter by the type classification of the asset. |
| Criticality | Critical, Important, Supporting | Filter by the criticality level assigned to the asset based on its role in supporting business functions. |
| Status | Active, Inactive, Decommissioned, Planned | Filter by the current operational status of the asset. |
Table Columns
| Column | Description |
|---|---|
| Name + Location | The asset name with the physical location displayed beneath it. Click to open the asset detail/edit form. |
| Type | The asset type classification (Hardware, Software, Network, etc.). |
| Criticality | Displayed as a color-coded badge: Critical (red), Important (amber), Supporting (gray). |
| CIA | Three small pill indicators showing the Confidentiality, Integrity, and Availability ratings. Each pill displays a number from 1-5 and is color-coded: 1-2 (green/low), 3 (amber/moderate), 4-5 (red/high impact). Hover for the full label. |
| Provider | The linked ICT provider name, if assigned. |
| Status | A badge showing the operational status: Active (green), Inactive (gray), Decommissioned (red), Planned (blue). |
Creating or Editing an Asset
Click New Asset to create a new entry, or click an existing asset name to edit it. The form covers identification, classification, technical details, and relationships.
Identification
| Field | Type | Description |
|---|---|---|
| Name | Text input | A unique, descriptive name for the asset (e.g., "Production Database Server", "Azure AD Tenant", "Core Banking Application"). Required |
| Description | Textarea | A detailed description of the asset's purpose, function, and significance to the organization. Optional |
Classification
| Field | Type | Description |
|---|---|---|
| Asset Type | Select dropdown | The category of the asset. Options: • Hardware — Physical servers, routers, switches, storage arrays, etc. • Software — Applications, operating systems, middleware, databases. • Network — Network infrastructure, firewalls, load balancers, VPNs. • Data — Data stores, databases, data lakes, file shares. • Cloud Service — SaaS, PaaS, IaaS services (e.g., Azure, AWS, GCP). • Virtual Infrastructure — Virtual machines, containers, orchestration platforms. • Endpoint — Workstations, laptops, mobile devices, thin clients. • Other — Assets that do not fit the above categories. |
| Status | Select dropdown | The current operational state: • Active — Currently in production use. • Inactive — Exists but not currently in use. • Decommissioned — Retired from service. • Planned — Approved but not yet deployed. |
| Criticality | Radio buttons | The importance of this asset to the organization's critical functions: • Critical — Essential for critical or important business functions. Disruption would have severe impact. • Important — Supports important functions but has some redundancy or workaround options. • Supporting — Used in day-to-day operations but disruption would have limited impact. |
Location and Network
| Field | Type | Description |
|---|---|---|
| Physical Location | Text input | Where the asset is physically located. Examples: "Frankfurt DC-1", "AWS eu-west-1", "Office Floor 3 Rack B". Optional |
| Logical Location | Text input | The network or architectural placement. Examples: "Production VLAN", "DMZ", "Management Network", "Azure West Europe". Optional |
| IP Address | Text input (monospace) | The primary IP address of the asset, displayed in monospace font for readability. Optional |
| Hostname | Text input (monospace) | The DNS hostname or FQDN of the asset, displayed in monospace font. Optional |
| External Exposure | Checkbox | Check if this asset is directly accessible from the internet. Externally exposed assets typically warrant higher scrutiny in risk assessments. |
Externally exposed assets are prime targets for cyber threats. Ensure these assets have appropriate controls, regular vulnerability assessments, and are included in penetration testing scope.
CIA Rating
Rate the asset across the three dimensions of information security. Each dimension uses a 1-5 scale with descriptive labels:
| Dimension | Rating Scale |
|---|---|
| Confidentiality | 1: Not rated — 2: Low impact — 3: Moderate — 4: High impact — 5: Critical. Measures the sensitivity of information the asset handles and the impact of unauthorized disclosure. |
| Integrity | 1: Not rated — 2: Low impact — 3: Moderate — 4: High impact — 5: Critical. Measures the importance of data accuracy and the impact of unauthorized modification. |
| Availability | 1: Not rated — 2: Low impact — 3: Moderate — 4: High impact — 5: Critical. Measures how essential continuous access to this asset is and the impact of downtime. |
Each rating is selected by clicking one of five pills (1 through 5). The selected pill is highlighted and the descriptive label updates accordingly.
CIA ratings inform risk assessment scoring and help prioritize controls. An asset with high Availability (4-5) should have robust redundancy and disaster recovery measures. High Confidentiality (4-5) warrants encryption and strict access control.
Recovery Objectives
| Field | Type | Description |
|---|---|---|
| RTO (Recovery Time Objective) | Text input | The maximum acceptable time to restore this asset after a disruption (e.g., "4 hours", "30 minutes", "1 business day"). Optional |
| RPO (Recovery Point Objective) | Text input | The maximum acceptable amount of data loss measured in time (e.g., "1 hour", "15 minutes", "zero"). Optional |
Lifecycle Information
| Field | Type | Description |
|---|---|---|
| Version | Text input | The current version or firmware level of the asset (e.g., "16.0.4", "Ubuntu 22.04 LTS"). Optional |
| License Info | Text input | Licensing details such as license type, key, or subscription tier. Optional |
| Support End Date | Date picker | The date vendor support expires. Assets past support end date represent increased risk. Optional |
| End of Life | Date picker | The date the asset reaches end of life and should be replaced or decommissioned. Optional |
Relationships
| Field | Type | Description |
|---|---|---|
| ICT Provider | Select dropdown | The third-party provider or vendor that supplies or manages this asset. Populated from the ICT Providers register. Optional |
| Business Functions | Multi-select checkboxes | Select one or more business functions that depend on this asset. Functions marked as critical in the Register of Information display a Critical badge to highlight their importance. |
| Dependencies | Multi-select (assets) | Select other ICT assets that this asset depends on. This builds a dependency map used for impact analysis and business continuity planning. |
Asset dependencies are essential for understanding cascading failure scenarios. If a Critical asset depends on a Supporting asset, the Supporting asset's effective criticality may need to be reassessed.
Review Dates
| Field | Type | Description |
|---|---|---|
| Last Review Date | Date picker | When this asset record was last reviewed and confirmed accurate. Optional |
| Next Review Date | Date picker | When this asset should next be reviewed. DORA requires periodic review of the ICT asset inventory. Optional |