|
|
| Document ID |
ISMS-INV-001 |
| Version |
0.1 |
| Status |
Draft (in progress) |
| Classification |
Internal |
| Owner |
Information Security Officer |
| Approved by |
Managing Director |
| Approval date |
pending |
| Effective from |
pending |
| Next review |
Quarterly, and on every asset change |
| Annex A controls |
A.5.9 (inventory of information and other associated assets), A.5.12 (classification of information), A.5.13 (labelling of information) |
This is the register of information assets that BackupExperts owns,
operates, or holds custody of. Each asset has an owner, a classification
(per Data Classification (planned)), a
location, and the controls that apply to it.
The register feeds the Risk Register, the
Statement of Applicability
(planned), and the Business Continuity Plan.
In scope:
- Physical infrastructure that BackupExperts owns or rents (servers,
network gear, NAS, UPS, end-user devices used for BackupExperts work).
- Software systems that BackupExperts operates (Proxmox, MinIO,
Vaultwarden, Wiki.js tenants, monitoring, wiki-cms).
- Information that BackupExperts holds (customer data backups, customer
credentials, internal records, ISMS records).
Out of scope: customer-owned hardware that BackupExperts has read
access to but does not operate, and commodity assets (office furniture,
pens). Customer-owned hardware is referenced from each customer's
onboarding document.
| Asset |
Type |
Page |
| pve03 — Proxmox VE 9 dedicated server |
Hypervisor host |
Detail |
| Asset |
Type |
Page |
| MinIO + NAS — customer Veeam offload target |
Backup target |
(to be documented) |
| Network gear — switch / firewall / router |
Network infrastructure |
(to be documented) |
| UPS |
Power continuity |
(to be documented) |
| Self-hosted fire alarm |
Physical safety |
(to be documented) |
| CCTV system (24/7, 30-day retention) |
Physical security monitoring |
(to be documented) |
| Asset |
Type |
Page |
| Personal laptop (BYOD) — work account, BitLocker FDE, Defender |
Endpoint |
(to be documented) |
| Mobile phone — used for callback verification on restore requests |
Endpoint |
(to be documented) |
| Asset |
Hosted on |
Page |
| Tenant Wiki.js instances |
pve03 (presumed — to be confirmed in detail page) |
(to be documented) |
wiki-cms toolchain |
pve03 / laptop |
(to be documented) |
| MinIO S3 endpoint |
Basement NAS |
(to be documented) |
| Vaultwarden (self-hosted) |
(location to be confirmed) |
(to be documented) |
| Veeam Backup & Replication |
Customer-side (per-customer) |
(to be documented) |
| Monitoring tooling |
(location to be confirmed) |
(to be documented) |
| Asset |
Custody |
Class |
| Customer backup contents |
MinIO basement (off-site copy from customer perspective) |
Confidential |
| Customer credentials |
Vaultwarden |
Secret |
| Customer onboarding documents |
Wiki.js MSP tenant + wiki-cms repo |
Internal |
| ISMS documentation |
Wiki.js MSP tenant + wiki-cms repo |
Internal |
| Financial records |
Lexoffice (Haufe-Lexware GmbH) |
Confidential |
| BackupExperts business email |
Microsoft 365 (Microsoft Ireland) |
Confidential |
| Incident records |
Wiki.js MSP tenant /incidents/register (planned) |
Confidential |
¶ 6. Maintenance
- Adding an asset: append a row to the relevant section above, write
the detail page if material, update the asset's classification.
- Decommissioning an asset: do not delete the row; mark "Decommissioned
on YYYY-MM-DD" and link to the disposal record.
- Quarterly review: ISO confirms each row is current.