Who are considered the owners of assets in a company?

In the context of asset management within a company, individuals who are responsible for managing the assets are considered the owners of those assets. This perspective aligns with ISO 27001, where asset ownership is not merely about legal ownership but pertains to the accountability for the effective management of the assets.

Asset owners have the authority to make decisions regarding the usage, protection, and management of the assets, which is essential for maintaining information security. They are tasked with ensuring that assets are appropriately classified, handled, and protected according to the organization's security policies and the associated risks. By being responsible for the management of these assets, they play a crucial role in the overall security management framework.

While legal ownership might seem relevant, it does not inherently imply responsibility for the asset's safeguarding or management. External auditors, while important for verification and compliance, do not own or manage the assets. Similarly, IT personnel may manage security aspects but do not hold ownership in the broader managerial sense as defined in ISO 27001. Thus, the focus on those who actively manage the assets underscores the importance of accountability and proactive management in information security practices.