Handling of Asset Policy¶

Owner	Classification	Review Date	Status
CDO Office	Internal	April 2027	Active

|
---|---
Document Type| Policy
Document #| SP-HA-013
Owner| Head of Human Resource and Admin; Chief Network Officer
Classification| Confidential (Class 2 — Private Data)
Version| V1.1
Issue Date| 05/09/2025
Review Cycle| Annual
Authorised By| Yassir Pasha

Document Information¶

Field	Details
Document #	SP-HA-013
Document Title	Handling of Asset
Version	V1.1
Confidentiality Level	Class 2 (Private Data / Confidential)
Date Created	27/03/2021
Issue Date	05/09/2025
Document Owner	Head of Human Resource and Admin, Chief Network Officer
Author(s)	Simpaisa
Purpose	To ensure that Handling of Asset policy are implemented
Authorised By	Yassir Pasha

Reviewed By Steering Committee¶

Name	Role
Yassir Pasha	Chief Executive Officer
Kamil Shaikh	Chief Operating Officer
Osama Hashmi	Chief Financial Officer
Bachir Njeim	Chief Strategy and Operations Officer
Saqlain Raza	Acting Chief Technology Office
Rizwan Zafar	Chief Product Officer
Ahsan Hussain	Payment Channel Partnerships
Danish Abdul Hameed	Chief Information Security Officer
Shahroze Khan	Head of International Merchant Sales and Strategic Alliances
Noor Ali	Country Head Pakistan
Shoukat Bizinjo	Global Head of Regulatory Affairs · Regulatory

Change Control¶

Version	Date of Issue	Author(s)	Brief Description of Changes	Approved By
V1.0	08/04/2021	Rizwan Zafar	Initial release	Salim Karim
V1.1	05/09/2025	Simpaisa	As per ISO 27001:2022	Yassir Pasha

1 Introduction¶

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organisation. Procedure shall be established for handling, processing, storing and communicating information consistent with its classification. The following points shall be considered.

The policy applies to desktops, laptops, printers and other equipment, to applications and software, to anyone using those assets including internal users, temporary workers, and in general to any resource and capabilities involved in the provision of the IT services.

2 Asset¶

2.1 Asset Types¶

The following minimal asset classes are subject to tracking and asset tagging:

Desktop workstations
Laptop mobile computers
Tablet devices
Printers, copiers, fax machines, and multifunction print devices
Handheld devices
Scanners
Servers
Network appliances (e.g., firewalls, routers, switches, Uninterruptible Power Supplies (UPS), endpoint network hardware, and storage)
Private Branch Exchange (PBX) and Voice over Internet Protocol (VOIP) Telephony Systems and Components
Internet Protocol (IP) Enabled Video and Security Devices
Memory devices

2.2 Asset Value¶

Assets which cost less than 1000 PKR shall not be tracked, including computer components such as smaller peripheral devices, or mice. However, assets which store data regardless of cost, shall be tracked either as part of a computing device or as a part of network attached storage. These assets include:

Network Attached Storage (NAS), Storage Area Network (SAN) or other computer data storage
Temporary storage drives
Tape or optical media with data stored on them including system backup data

2.2.1 Asset Tracking Requirements¶

The following procedures and protocols apply to asset management activities:

All assets must have an internal asset number assigned and mapped to the device's serial number, with reference to the labelling policy.
An asset-tracking database shall be created to track assets. It shall minimally include purchase and device information including:
- Date of purchase
- Make, model, and descriptor
- Serial Number
- Location
- Type of asset
- Owner
- Department
- Purchase Order number
- Disposition

Prior to deployment, Network support & Administration staff shall assign an ID to the asset and enter its information in the asset tracking database. All assets maintained in the asset tracking database inventory shall have an assigned owner.

2.2.2 Asset Disposal and Repurposing¶

Procedures governing asset management shall be established for secure disposal or repurposing of equipment and resources prior to assignment, transfer, transport, or surplus.

When disposing of any asset, sensitive data must be removed prior to disposal. IT/Network support staff shall determine what type of data destruction protocol should be used for erasure. Minimally, data shall be removed using low level formatting and degaussing techniques. For media storing confidential or personally identifiable information (PII) that is not being repurposed, disks shall be physically destroyed prior to disposal.

3 Audit Controls and Management¶

On-demand documented procedures and evidence of practice should be in place for this operational policy as part of ISO 27001. Satisfactory examples of evidence and compliance include:

Current and historical asset management system checks for various classes of asset records.
Spot checks of record input and accuracy against tracking database.
Evidence of internal process and procedure supporting this policy for compliance with general workstation computing policies.

4 Policy Definitions¶

Access shall be restricted for each level of information classification.
All the records of the authorised asset recipients shall be maintained.
Formal copies of permanent / temporary documents as well as the original docs shall be maintained.
Storage of IT Assets shall be in accordance with manufacturer's specifications.
Clear marking of all copies of media shall be done for the attention of the authorised recipient.
Agreements with other organisations that include information sharing should include procedures to identify classification of that information and to interpret the classification labels from other organisations.

4.1.1 Enforcement¶

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

4.1.2 Distribution¶

This policy is to be distributed to all Simpaisa staff responsible for hardware and device support.