All the system´s information assets must be identified.
The organization must identify all their information assets with the purpose of classifying them in order to protect them from potential risks and implement controls according to their value.
It is recommended to set the scope for the asset identification activity, ideally this identification is set in the scope of an Information Security Management System (ISMS).
When the organization doesn’t have an ISMS, It is possible to set the scope of the activity by first identifying the assets that correspond to the organization’s most important processes and gradually broaden the scope to the remaining processes.
The identification of assets may contain the following information:
Asset group (If a grouping parameter has been set, which is recommended.)
Name of the process it belongs to.
Severity of the process it belongs to.
Owner, person in charge of the asset (R004).
Asset classification in terms of confidentiality, availability and integrity.
Asset value according to its classification (R005).
It is recommended that the asset identification be done by the responsible of each process of the organization thus allowing for a proper classification of the asset as shown in the following diagram:
Consulting - Define the Information Asset Inventory.
Consulting - Defining the Information Asset Granularity.
Consulting - Establishing the Owner of an Information Asset.
Consulting - Answering the Information Asset Inventory Questionnaire.
ISO 27005 - Risk Management for ISMS with ISO 27005.
ISO 27003 - ISO 27003 Guide.
An anonymous person or employee executes actions that attempt against the security of any of the organization’s information assets, since the impact of the assets is unknown the incident can´t be put in terms of value/cost. In consequence, the incident´s solution can come late or cause a greater impact to the organization.
Layer: Resource layer
Asset: Information assets
Type of control: Procedure