Assets - Thinking about Assets and Risk Assessments

When implementing ISO 27001, one of the first tasks is identifying what your information security measures are in place to protect. Aphorisms like "You can't protect what you can't see" are often shared at this stage; it's important that there is an exploration of the bits and pieces that come together to form the ongoing machine that is the organisation. Anything that has value to your organisation (Internally and externally) is an asset to be considered. This can get people tied up in knots quite quickly, so let's chat further and give some examples. ## What exactly is an "asset" in ISO 27001? Asset is not explicitly defined in [[ISO 27000]], but is mentioned in other terms of reference. The introduction to the 27000 document provides some introductory context: > Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the security of their **information assets**, including financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. Section 4.1c of the standard then acknowledges the threat to assets: > Organizations of all types and sizes face a range of risks that can affect the functioning of assets; So we have some information assets mentioned and the recognition that risks may target assets - very useful to get thinking with. We also have the terms and definitions themselves. Here are the terms of reference that make mention of 'assets'. | Term | Definition | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | 3.1 - Access control | means to ensure that access to **assets** is authorized and restricted based on business and security requirements. | | 3.2 - Attack | attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an **asset**. | | 3.35 - Information System | set of applications, services, information technology **assets**, or other information-handling components. | | 3.77 - Vulnerability | Weakness of an **asset** or control that can be exploited by one or more threats. | ## A definition? A safe working definition is that an asset is simply any thing that has value to your organization. The key here is **value** – if something contributes to your business operations, objectives, or continuity, it's an asset that we must decide if we want to take steps to protect. ## Common Types of Assets Let's explore the most common types of assets you should consider. This is not a prescriptive list, and to produce your list consider following a workshop that follows the 'zoom out approach' like in this workshop: [[Asset Register| Zooming out to produce an asset register for an SME]]. ### Physical Assets These are the tangible items you can touch: - **Tools and Kit**: The physical items required for you to do your daily job. - **Digital Hardware**: Servers, laptops, desktop computers, tablets, smartphones, networking equipment - **Storage media**: Hard drives, USB drives, backup tapes - **Infrastructure**: Buildings, server rooms, secure cabinets, power supplies, HVAC systems - **Paper documents**: Contracts, design documents, printed reports, employee records _Example:_ A small marketing firm might identify their asset list as including 15 employee laptops, 2 servers, 5 multi-function printers, and a room full of archived client campaign materials. ### Digital/Information Assets The data and information your organization depends on: - **Software**: Applications, operating systems, utilities, development tools - **Databases**: Customer records, financial data, employee information - **Configuration data**: System settings, network configurations - **Intellectual property**: Product designs, algorithms, proprietary methodologies - **Digital documents**: Policies, procedures, contracts, reports, emails _Example:_ A healthcare provider would consider patient records, prescription systems, appointment scheduling software, and medical imaging data as critical information assets. ### Non-Tangible Assets Non-tangible assets are the assets we cannot 'touch', but that can still have an impact on the organisation if they are made unavailable or are damaged in some way. - **Reputation**: Brand image, public trust, customer confidence - **Services**: Cloud services, outsourced functions, utilities - **Knowledge**: Staff expertise, institutional knowledge, processes - **Relationships**: Customer relationships, supplier arrangements, partnerships - **Contracts and agreements**: Service level agreements, licensing agreements - **Certifications and compliance status**: Industry certifications, regulatory compliance _Example:_ A financial advisory firm might recognize that their reputation for trustworthiness is perhaps their most valuable asset – a security breach damaging this reputation could be more costly than any physical damage. ## Assets People Often Overlook When conducting your asset inventory, watch for these commonly overlooked assets: 1. **Supporting utilities**: Power, cooling, water systems that keep your primary assets functioning 2. **Third-party services**: Cloud storage, payment processors, SaaS applications 3. **Employee knowledge**: The undocumented expertise that would be lost if key employees left. Consider here the development of a '[[Building a Single Source of Truth|Single Source of Truth]]'. 4. **Communication channels**: Email systems, messaging platforms, phone systems 5. **Temporary assets**: Contractor equipment, rented devices, temporary storage 6. **Network capacity and connectivity**: Internet bandwidth, VPN connections 7. **Time**: System availability and uptime is sometimes considered an asset (But figure out if this is something you find that you 'click' with. _Example:_ A manufacturing company might overlook their production scheduling system – not the software itself, but the carefully optimized production schedule that took years to perfect. If this information were compromised, competitors could gain significant advantage. Equally, if key employees left and this schedule was not documented, this asset could be lost - and the company would have lost years of business-hardened development. ## Assets and Risk Assessments Once you've identified your assets, you need to understand: 1. **Value**: What is this asset worth to your organization? 2. **Threats**: What could harm this asset? 3. **Vulnerabilities**: What weaknesses could be exploited? 4. **Impact**: What would happen if the asset were compromised? For non-tangible assets, consider these questions: - How would a data breach affect customer trust? - What would happen if key institutional knowledge was lost? - How would service interruptions impact your reputation? _Example:_ An e-commerce company depends on their website's availability. The asset is not just the website code or the server it runs on, but the actual service availability. A risk assessment would consider the impact of downtime – lost sales, damaged reputation, and customer impact – which often far exceeds the value of the physical infrastructure. ## Practical Approach to Asset Identification 1. **Start with brainstorming**: Gather representatives from different departments for a comprehensive view. 2. **Use categories**: Group assets as shown above to ensure nothing is missed. 3. **Review processes**: Follow your business processes from start to finish, identifying assets involved at each step. This is easier said than done - and building a business process map is in itself a piece of work. 4. **Consider dependencies**: If one asset fails, what other assets are affected? 5. **Document ownership**: Assign an owner to each asset who understands its value and can make decisions about its protection. This may be different to the person who uses the asset day to day. _Example:_ A law firm might track document management as a process, identifying the document management system (software), the servers it runs on (hardware), the confidential client information it contains (information), the expertise needed to maintain it (knowledge), and the reputation for confidentiality (non-tangible) as interconnected assets. ## Conclusion Asset identification isn't a one-time activity - it's a commitment to visibility. As your organization evolves, regularly revisit your asset inventory. The most robust systems recognize that non-tangible assets often represent the greatest value and potential for loss. It is the human parts of any system that offer the most value; consider again how much of a processes value lies exclusively in the person who performs that value, and act accordingly.