The Asset Management Policy maintains an inventory of the information assets botBrains relies on to deliver its service, assigns an owner to each one, and sets the rules for handling, returning, and disposing of them. botBrains operates fully remote with no office and no on-premise infrastructure, so the asset base is almost entirely cloud accounts, SaaS subscriptions, code repositories, domains, and a small number of company laptops.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
Scope
This policy covers every asset that stores, processes, or transmits botBrains or customer data, whether owned by botBrains or provided by a subprocessor. It applies to both people in the company. The canonical, evergreen subprocessor and infrastructure list lives at Subprocessors; this policy governs how botBrains tracks and handles those assets rather than restating them.
Asset inventory
botBrains maintains a single asset register, owned by the CISO, that records each significant asset together with its owner, purpose, and data classification (Employees Only: Asset & Tool Inventory). Items with negligible value and no security relevance are out of scope. The register groups assets into the following categories.
| Category | Examples | Owner |
|---|
| Cloud accounts | AWS, Hetzner, DigitalOcean, Vercel, Modal, Azure OpenAI, OpenAI | CISO |
| SaaS services | Sentry, Better Stack, Langfuse, PostHog, email, password manager | CISO |
| Code repositories | GitHub private repositories | CISO |
| Domains and DNS | botbrains.io and subdomains | CISO |
| Endpoints | Company laptops | Assigned user |
botBrains classifies each asset according to the Data Classification Policy based on the most sensitive data it handles. Cloud and SaaS accounts that process customer conversation data carry the highest classification and the strongest controls.
Ownership and handling
Every asset has a named owner who is accountable for keeping its record accurate, applying the correct controls, and authorizing access. Access to assets follows the least-privilege and authentication rules in the Access Control Policy, and encryption requirements follow the Cryptography Policy. The Acceptable Use Policy defines acceptable use of assets, including laptops and mobile devices.
Laptops are encrypted and kept current as the Cryptography Policy and Acceptable Use Policy require, and physically protected as the Physical Security Policy describes. This policy tracks each laptop as an asset rather than restating those controls.
Return and disposal
When a person leaves botBrains or changes role, a co-founder revokes their access to all cloud accounts, SaaS services, repositories, and shared credentials following the leaver process in the Access Control Policy, and the departing person returns any company laptop. Because botBrains data lives in cloud services rather than on endpoints, account access dominates the leaver risk rather than device contents.
Before anyone reuses, repairs, or disposes of a laptop or storage medium, a co-founder securely wipes its local storage and confirms full-disk encryption was enabled, which renders any residual data unrecoverable. botBrains records the disposal in the asset register with the date, the method, and who performed it. Our cloud providers handle server and disk destruction under their own certifications. Deletion of data inside cloud services follows the Data Retention Policy.
ISO 27001 mapping
This policy supports Annex A 5.9 (inventory of information and associated assets), 5.10 (acceptable use), 5.11 (return of assets), 7.10 (storage media), and 7.14 (secure disposal or reuse of equipment).
Review
The CISO owns this policy and reviews it at least annually and on any material change to the asset base or supplier set.