Understanding information assets
Definition of information assets
Well, that’s easy, there isn’t one, well at least not one universally accepted definition.
ISO/IEC 27000:2018 Overview and vocabulary refers to ‘information asset’ 33 times,
but never actually defines it.
A frequently (ab)used definition of an information asset is ‘everything that has a value
to the organisation’. This is the point when your facilities manager starts counting chairs
So, is there anything out there that is a bit more illuminating? It’s a bit wordy, but we quite like the National Archives (2017)
definition of an information asset as ’ … a body of information, defined and managed as a single unit so it can be understood,
shared, protected and exploited efficiently.
Information assets have recognisable and manageable value, risk, content and lifecycles.’
Information asset in corporate information security governance
Organisations that are endeavouring to implement an information security management system (ISMS), will already have
attempted to identify their information assets. Many will already have an asset register in place and will have an idea of the
information security requirements pertaining to the ISMS implementation. Key aspects to be defined in the information security
governance for information assets are:
Asset impact levels to (C)onfidentiality, (I)ntegrity and (A)vailability.
Asset identification needs to be completed as an organisation-wide exercise. A basic segregation of information assets for
the entire organisation is as follows:
Intangible assets (e.g. brand and reputation)
A common method of identifying assets is to conduct interviews with departmental heads and produce a list of assets as
presented by those managers. However, from a governance perspective, it is the responsibility of the information security
professional to ensure that managers have a clear understanding of what constitutes an information asset, its relevance
within a corporate governance structure and how identified information assets need to be managed.
Let us take the example of a simple asset, a laptop:
This asset has a monetary value to the organisation – it’s probably a well known and reputable brand that has been
Laptops are issued, generally, by the IT department and this is where we would expect to find a list of the laptops
issued throughout the organisation
Laptops naturally offer a flexible working pattern, enabling you to work remotely, i.e. from home, cafes, trains,
Employees will store, process and transmit all sorts of information on these laptops in order to perform their
Naturally, the types of information being stored, communicated, processed or accessed by laptops are going to vary
considerably across the organisation, as per Figure 1..
Identifying asset owner
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types
of assets. Asset owners are responsible for:
Identifying risks to the asset type
Providing guidance and instructions on how the asset should be used
Identifying levels of protection required depending on the asset classification
Implementing and verifying the effectiveness of security controls in respect of that asset type.
With the laptop example, the logical owner would be the IT Manager. The rationale being that the IT Manager has complete
control over this type of asset, including for ingress, degress, maintenance, etc. Sometimes, organisations assign asset
ownership to a department rather than a role, e.g. the IT Department. This practice, however, should be avoided wherever
possible, as it is nigh on impossible to establish collective responsibility.
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification.
The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
If in doubt, ask yourself ‘What if’ for the particular asset you are responsible for. During this process, paranoia may lead to
exaggerated classification, but it is a learning process. It is important to get the right balance, however, as under-classification
could lead to unauthorised disclosure or access and over-classification (i.e. too much security) could lead to a loss of availability.
As presented in Figure 2., the IT Manager must consult the business to evaluate what level of protection should be applied to laptops.
For illustrative purposes, let’s consider an organisation which has adopted three levels of classification; confidential, restricted and
public (Figure 2.).
In this scenario, the IT Manager will evaluate what is the highest classification requirement for laptops in each functional area and
apply security controls in accordance with that requirement. So, the real key is to understand what the laptop will be used for, and its
classification will be inherited from the classification of the information accessed through it, stored on it or processed by it.
As with classification, impact levels are assigned by the asset owner. Determining the impact levels of assets can be relatively complex
and we will address this in more detail in a future blog. However, in terms of the impact level associated with our laptops, again it is
inherited from the information.
For example, if our laptop is to be used by someone who works in HR, it is highly likely that the information which the laptop is exposed
to has a high impact value. After all, it is likely to include personally identifiable information which is subject to data protection legislation.
Consequently, our laptop will inherit that high impact value. Once this assessment has been made, the asset owner can implement the
appropriate controls to protect the laptop.
Finally, but not certainly not least, it is important for any organisation to understand what it has under its control in terms of its information
assets and other supporting assets. Without this information, it will be almost impossible to ensure that the appropriate levels of protection
are being implemented. We suggest developing an asset register which includes the following details :
Asset impact levels
If you would like to explore how URM’s consultancy and training services can benefit your organisation,
we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know
the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001,
PCI DSS), data protection (GDPR, DPA 2018), business continuity (ISO 22301) and risk management so
that we can arrange a discussion.