ISO/IEC 19770 is an international standard that specifies requirements for the establishment, implementation, maintenance, and improvement of an IT asset management system.
Definition and purpose
The ISO/IEC 19770 framework provides additional or more detailed requirements for managing IT assets than ISO 55001:2014, which specifies the requirements for an asset management system and focuses primarily on physical assets. The purpose is to help organizations to properly manage their IT assets, which includes licensing, making changes, and meeting legal, regulatory and contractual requirements as well as the organization’s own requirements.
ISO/IEC 19770 is governed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The framework is developed and maintained by a joint technical committee, ISO/IEC JTC 1/SC 7.
ISO/IEC 19770 was last updated in 2017.
ISO/IEC 19770-1:2017 applies to all types and sizes of organizations. While intended for IT assets in particular, it can also be applied to other asset types.
Controls and requirements
ISO/IEC 19770 specifies requirements for an IT asset management system within the context of the organization. These requirements are specific to certain characteristics of IT assets and deal with:
- Controls over software modification, duplication, and distribution, with particular emphasis on access and integrity controls
- Audit trails of authorizations and of changes made to IT assets
- Controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions
- Controls over situations involving mixed ownership and responsibilities, such as in cloud computing and with ‘Bring-Your-Own-Device’ (BYOD) practices
- Reconciliation of IT asset management data with data in other information systems when justified by business value, in particular with financial information systems recording assets and expenses
Please refer to the official ISO/IEC 19770 documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
It is recommended that organizations perform internal audits to check how their IT asset management system is working. Internal audits can be performed by the organization itself, or by an external party on its behalf to assess the organization’s ability to meet the organization’s own IT asset management requirements.