Information security is all about ensuring the availbility, confidentiality and integrity of information assets (the CIA triad), however many organisations attempt the risk assessment phase of an information security programme without having clear visibility of what their information assets are or perhaps they are aware of some but haven’t prioritised nor modelled the threats against them.
A clear information asset register is a critical first step in the risk assessment process and subesquent risk treatment, risk review and incident management aspects of your information security strategy.
So how do you begin? What is an information asset? Is it documents? Is it laptops?
The ISO 27001 Definition
Frustratingly the current ISO 27001 standard gives little clarity on the exact definition of what defines an asset, let alone an information asset, however the 2005 revision of the standard did have a definition of “anything that has value to the organization” and so this is a good starting point.
Obviously many assets which have value to the business have already had the risks to them considered and mitigated – a good example of this building and contents insurance.
From an information security perspective, we need to consider any assets that affect the availbility, confidentiality or integrity of information assets.
Examples of Assets
The types of assets relevant to information security will vary from organisation organisation but some common examples are:
Information
This – the most obvious asset type – can include paper files, schematics, digital data, intellectual property, processes, procedures, strategies, financial and HR data.
Hardware
Laptops, PCs, servers, printers, firewalls, backup devices, networking equipment, mobile devices, etcetera. Some companies will have additional leftfield hardware to consider such as IoT devices, industrual control systems, vehicle eletronics, etc.
Software
It’s easy to consider the software used day-to-day such as operating systems, office and financial applications, email clients, etcetra but remember to include Software-as-a-Service solutions – you will have less responsbility (and less influence) on these, however they must still be considered.
Intrastructure
You should include any Infrastructure assets that impact information such as offices, utilities (electricity, connectivity, etcetera).
Employees
Finally, employees should be considered, particularly those whose skills, knowledge or experience (and the availability of them) impacts information for the rest of the business.