How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?
PUBLISHED on
19 Jul
2022
‘How do we approach asset identification within our information security risk assessment?’. There are 2 aspects to this question; ‘which assets do we include?’ and ‘how granular do we make the list?’. This blog examines which assets or asset types to include and should be read in conjunction with another URM blog titled ‘How do I Approach Asset Identification Within My Information Security Risk Assessment?, where we stressed the need to stay at a high level when identifying your information assets.
One thing that we recommend you think about is categorising your assets. This is a useful process as it enables you to identify assets that could face similar threats or may contain similar vulnerabilities.
The following list is typical, but is by no means the only way to categorise your assets, as it depends on the nature of your business. As such, this is not an exhaustive list, but is a good starting point which, in our experience, addresses the majority of asset types:
- Information
– Electronic
– Paper
- People
- Premises
- Suppliers
- Equipment
- Technology
– Hardware
– Software
- Equipment (non-technology equipment such as a fire safe)
- Intangibles (such as brand and reputation)
The first thing to note is that ‘information’ is at the top of the list. This should always be your first consideration as this is the focal point of what you are trying to protect. All of the other types are known as supporting assets because they help you to store, communicate or process the information. As such, they tend to inherit the value of the information itself. For example, we may split laptops out into two groups; a general one for all employees and one for those who store, process or communicate sensitive information. In this scenario, the latter group would naturally require greater levels of protection, as the impact of losing such a laptop would be higher.
As you can see in the list above, we have created subcategories in a couple of places as information can exist electronically, as well as on paper. We also might want to categorise hardware and software technology separately. As we mentioned earlier, you can begin to see that these asset types may suffer from the same types of impact, e.g., it doesn’t matter what the information is, if it is on paper then it all could be impacted by the threat of fire. Similarly, all suppliers need to be managed effectively and therefore we would want to guard against weaknesses in contracts etc.
These asset types can also be mapped to the ISO 27002 controls that provide protection against your information risks. For example, software assets would benefit from controls such as vulnerability and patch management, and hardware assets from air conditioning and suitable power provision. Your people assets would benefit from training and awareness processes, as well as from having suitable contracts of employment in place.
So, it is important to keep your goal in mind i.e., through risk assessment, to identify and then manage your risks in terms of confidentially, integrity and availability (CIA). To do this, you need to achieve a manageable and actionable representation of risk for which you need a manageable asset list.
How URM can help?
Consultancy
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you achieve ISO 27001 certification
Read more
Consultancy
ISO 27002:2022 Support
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
related BLog posts
Information Security
Published on
14/2/2024
A Comparison of ISO 9001 and ISO 27001URM’s blog compares the management system clauses of ISO 27001 and ISO 9001 to identify integration opportunities.
Read more
Information Security
Published on
25/5/2022
Asset identification within RAA question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’.
Read more
Information Security
Published on
9/2/2024
The New Threat Intelligence Requirements in ISO 27001:2022URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.
Read more
It’s one thing having the required technical knowledge, it’s another thing for a consultant to apply that knowledge to the context of our organisation. To use a sporting analogy, we view cyber and information security as a marathon not a sprint. I am not a believer in doing everything all at once. Our approach has been risk based and incremental, remediating our biggest risks first before moving on. I believe this approach is far more sustainable and effective. And URM’s consultants fully understand this and are very pragmatic and tailored in their guidance and advice. They know we are not implementing ISO 27001 purely for the certificate, but more as a framework for continual improvement, and at a pace where new systems and processes can be fully understood and absorbed by our team and be business as usual.
The Owners and Distributors of Quality Brands
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.