How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

One thing that we recommend you think about is categorising your assets.  This is a useful process, as it enables you to identify assets that could face similar threats or may contain similar vulnerabilities.

The following list is typical, but is by no means the only way to categorise your assets, as it depends on the nature of your business.  As such, this is not an exhaustive list, but is a good starting point which, in our experience, addresses the majority of asset types:

• Information:
  
  • Electronic
  • Paper
• People
• Premises
• Suppliers
• Equipment
• Technology:
  
  • Hardware
  • Software
• Equipment (non-technology equipment such as a fire safe)
• Intangibles (such as brand and reputation).

The first thing to note is that ‘information’ is at the top of the list.  This should always be your first consideration, as it is the focal point of what you are trying to protect.  All of the other types are known as supporting assets, because they help you to store, communicate or process the information.  As such, they tend to inherit the value of the information itself.  For example, you may split laptops out into two groups; a general one for all employees and one for those who store, process or communicate sensitive information.  In this scenario, the latter group would naturally require greater levels of protection, as the impact of losing such a laptop would be higher.

As can be seen from the list above, we have created subcategories for information as it can exist electronically, as well as on paper.  You may also benefit from categorising hardware and software technology separately.  As we mentioned earlier, you can begin to see that these asset types may suffer from the same types of impact, e.g., it doesn’t matter what the information is, if it is on paper then it all could be impacted by the threat of fire. Similarly, all suppliers need to be managed effectively and therefore we would want to guard against weaknesses in contracts, etc.

These asset types can also be mapped to the ISO 27001 Annex A security controls that provide protection against your information risks.  For example, software assets would benefit from controls such as vulnerability and patch management, and hardware assets from air conditioning and suitable power provision.  Your people assets would benefit from training and awareness processes, as well as from having suitable contracts of employment in place.

So, it is important to keep your goal in mind i.e., through risk assessment, to identify and then manage your risks in terms of confidentiality, integrity and availability (CIA).  To do this, you need to achieve a manageable and actionable representation of risk for which you need a manageable asset list.

‍