All information assets must be valued in monetary terms
The organization must value all previously identified assets in monetary terms, keeping in mind the value it represents to the business. This will allow the organization to know the importance of assets as well as the cost of loss and also allow them to determine and establish cost effective controls.
Defining the value of the information assets is a complex topic due to the fact that information assets are intangible. Intangible information assets include but are not limited to:
Initially in immature asset management processes, an organization may choose to define a qualitative value for their assets according to a previously defined classification criteria, however, as the organization betters their processes It is strongly recommended that the organization uses a monetary model to value their information assets.
To establish the value of an asset the following items should be taken into account:
The commercial value of the information.
The cost of reposition in case of loss.
The cost of the business impact in case of loss.
The value of the preservation of the information.
With these variables in mind the organization can define a formula to establish the monetary value of their assets.
Consulting - Determine the Value of Information.
Consulting - Define the Information Asset Inventory.
ISO 27005 - Risk management for an ISMS with ISO 27005.
Consulting - Establishing the Owner of an Information Asset.
Consulting - Answering the Information Asset Inventory Questionnaire.
ISO 27003 - ISO 27003 Guide.
An anonymous person or employee executes actions that attempt against the security of any of the organization’s information assets. Given the previous scenario it is not possible to determine the value of the controls that must be implemented in order to protect the information assets in a cost efficient manner.
Layer: Resource layer
Asset: Information assets
Type of control: Procedure