The Critical Importance of Information Assets

Information security is all about ensuring the availability, confidentiality and integrity of information assets. It underpins everything that we do.

It’s the guiding principles of the CIA triad (check it out below), which are the fundamentals of developing any robust information security system.

However many organisations attempt the risk assessment phase of an information security programme without having clear visibility of what their information assets are or perhaps they are aware of some but haven’t prioritised nor modelled the threats against them.

A clear information asset register is a critical first step in the risk assessment process and subsequent risk treatment, risk review and incident management aspects of your information security strategy.

So how do you begin? What is an information asset? Is it documents? Is it laptops?

The ISO 27001 Definition

Frustratingly the current ISO 27001 standard gives little clarity on the exact definition of what defines an asset, let alone an information asset, however the 2005 revision of the standard did have a definition of “anything that has value to the organisation” and so this is a good starting point.

Obviously many assets which have value to the business have already had the risks to them considered and mitigated – a good example of this building and contents insurance.

From an information security perspective, we need to consider any assets that affect the availability, confidentiality or integrity of information assets.

Examples of Information Assets

The types of assets relevant to information security will vary from organisation but some common examples are:

Information
This – the most obvious asset type – can include paper files, schematics, digital data, intellectual property, processes, procedures, strategies, financial and HR data.

Hardware
Laptops, PCs, servers, printers, firewalls, backup devices, networking equipment, mobile devices, etcetera. Some companies will have additional leftfield hardware to consider such as IoT devices, industrial control systems, vehicle electronics, etc.

Software
It’s easy to consider the software used day-to-day such as operating systems, office and financial applications, email clients, etcetera but remember to include Software-as-a-Service solutions – you will have less responsibility (and less influence) on these, however they must still be considered.

Infrastructure
You should include any Infrastructure assets that impact information such as offices, utilities (electricity, connectivity, etcetera).

Employees
Finally, employees should be considered, particularly those whose skills, knowledge or experience (and the availability of them) impacts information for the rest of the business.