Info Sec Explained
How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

Wayne McCaw's photo
Wayne McCaw
·

4 min read

"What is our strategy for identifying assets in our information security risk assessment? This question encompasses two key elements: first, determining which assets to incorporate, and second, deciding the level of detail to include in the asset list. This blog delves into the consideration of which assets or types of assets should be included. It should be read alongside another URM blog titled 'How to Approach Asset Identification in Information Security Risk Assessment,' where we emphasized the importance of maintaining a high-level perspective during the identification of information assets with the guidance of an ISO 27001 consultant."

One important aspect we recommend you consider is the categorization of your assets. This process proves valuable as it allows you to pinpoint assets that may encounter similar threats or possess comparable vulnerabilities.

The following list is a standard reference but should not be viewed as the exclusive method for categorizing your assets, as it should be tailored to your specific business nature. Therefore, it is not an exhaustive inventory but rather a solid starting point that, based on our experience, addresses the majority of asset types:

  1. Information

    • Electronic

      • Paper

  1. People

  2. Premises

  3. Suppliers

  4. Equipment

  5. Technology

    • Hardware

      • Software

  1. Equipment (non-technology assets like fire safes)

  2. Intangibles (such as brand and reputation)

It's crucial to note that 'information' holds the top position on this list. This should always be your primary consideration since it represents the core of what you aim to safeguard. All other categories are considered supporting assets as they assist in storing, transmitting, or processing information. Consequently, they often inherit the value associated with the information itself. For instance, when categorizing laptops, you might distinguish between two groups: one for general use by all employees and another for those handling sensitive information storage, processing, or communication. In this scenario, the latter group naturally requires a higher level of protection due to the increased impact of losing such a laptop.

As evident from the list provided earlier, we've introduced subcategories in certain instances, recognizing that information can exist in both electronic and paper formats. Additionally, we may find it beneficial to categorize hardware and software technology separately. As previously mentioned, you can start to observe that these asset types might be susceptible to similar types of impacts. For instance, irrespective of the specific information contained, paper-based materials are all susceptible to threats like fire. Similarly, effective management of all suppliers is crucial, necessitating safeguards against contractual vulnerabilities, among other considerations.

Furthermore, these asset types can be correlated with ISO 27002 controls, which offer comprehensive protection against a wide range of information-related risks. For instance, when it comes to software assets, implementing controls like vulnerability and patch management becomes crucial. This entails regularly assessing and addressing potential vulnerabilities within the software to ensure it remains resilient to cyber threats and exploits.

On the other hand, hardware assets require measures such as efficient air conditioning and a reliable power supply to maintain their optimal functioning. Adequate temperature control safeguards against overheating and potential hardware failures, while a consistent power supply helps prevent data loss and downtime due to unexpected outages.

In the realm of people assets, organizations can significantly enhance their security posture through tailored training and awareness programs. By educating employees about cybersecurity best practices and potential threats, they become a valuable line of defense against social engineering attacks and other security breaches. Additionally, establishing suitable employment contracts that outline clear security responsibilities and expectations further strengthens the protection of sensitive information.

Incorporating these ISO 27002 controls in alignment with specific asset types ensures a robust information security framework, helping organizations mitigate risks effectively and work towards achieving ISO 27001 certification.

Hence, it remains paramount to keep your primary goal in mind, which is, through risk assessment, to identify and subsequently manage risks in terms of confidentiality, integrity, and availability (often abbreviated as CIA) as part of your journey towards ISO 27001 certification. To accomplish this, you must establish a manageable and actionable representation of risk, for which a well-organized asset list is indispensable.