How to develop asset inventory for NIS2

What assets should be included in an NIS2 asset inventory?

Assets as a valuable subject of protection

For NIS2 and cybersecurity purposes an information asset is defined as anything of which value to the organization where information is stored and processed. It includes data, information, hardware and any valuable location within an organisation’s systems where sensitive information is stored, processed or accessible. Basically anything that can be attacked, destroyed, interrupted and as a result, you may lose data.

Asset inventory have to include everything you need to protect against cyber-attacts and other threats

Primary assets

• data and information (all digital record for NIS2)
  

Supporting assets

An organisation’s critical infrastructure, infrastructure and people on which deliverivery of data are dependent 

• Hardware (IT servers, network equipment, computers, laptops, etc.)
• Software (enterprise applications and other software) 
• People (employees, contractors, volunteers and anyone who knows confidential information)
• Services (provided by the organisation or third parties)
• Locations (the organisation’s premises, remote employees’ offices, etc.

All that needs to be protected

Organisations should build an asset inventory not only to achieve NIS2 compliance but the inventory is important overview of all valuable assets that needs to be protected in some way. Specifically, an asset inventory is an essential part of the risk assessment process, because it’s a constituent element of identifying and evaluating information security risks. Therefore, relationship between assets, threats, vulnerabilities and risks is important.

• threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party.
  
• A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset.
  
• Risk can be defined as something that’s in jeopardy (an asset), an actor that can exploit it (a threat) and a way that it can happen (a vulnerability)

Organisations must therefore identify assets alongside threats and vulnerabilities if they are to adequately perform a risk assessment

Information asset inventory

For each individual asset, you need to keep information about their value, who is responsible for protecting them, or what the dependencies are between them so that you know if something happens to one asset, how it will or won't affect other assets. That is why one of the key compliance requirements of NIS2 is to create an asset inventory. This is a central list,registry, of information assets that needs to be protected.  A register or inventory of those information assets has to be put together that shows how they are managed and controlled, based around their importance. 

• Information asset inventory is essential for managing information assets
• Important source for mitigating information security risks, vulnerabilities and threats
  
• NIS2 outlines how organisations can develop an asset inventory

How to build an asset inventory step-by-step for NIS2 with Aptien

When creating an asset inventory for NIS2, you might be tempted to consider an Excel spreadsheet. But since it is a static document, sooner or later it will become very difficult to accurately keep it updated, and it could jeopardize your efforts to increase security in the organization. 

You should build the asset inventory during the risk assessment process. Most organisations take an asset-based approach, and this is the easiest way to create an asset inventory. So building asset inventory is a part of risk assessment analysis. 

1. The process begins by identifying assets and then working out the relevant risks.
2. Doing so means you already have an asset register, which you can use as the basis of your asset inventory.
   

NIS2 doesn’t contain strict rules on the details that must be included in an asset inventory. You can, for example, limit the inventory to the name of the asset and its owner. However, you will also find it helpful to include details such as the asset’s location and category. 

You can get started with your asset inventory with Aptien’s risk assessment tool. This tool provides a simple and fast way to deliver repeatable, consistent assessments year after year. Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default. Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.

Assets are a key focus of risk analysis. Everything depends on them. The law defines primary assets which are your data (and possibly key services) and supporting assets are everything else you need to have to make your system work. The first thing to focus on is determining your primary assets.

The next step is to identify your information assets. This means finding out what types of information you have, such as personal data, financial records, intellectual property, or trade secrets. You also need to identify the sources, locations, formats, and owners of your information assets, such as databases, servers, cloud services, laptops, or employees. You can use various methods to identify your information assets, such as interviews, surveys, audits, or documentation reviews.

1. Identify primary assets

• Primary assets are the information or data that stands at the top of the imaginary pyramid. Services can also be classified as primary assets, but we recommend focusing on only data and information so as not to get confused. Thus, primary assets are data or information that, if you don't have it or it doesn't work, your organization can't function, it can't fulfill its mission. So they are essential to the functioning of your organization:
• Primary assets are information and data essential to the functioning of an organization
  
• See how to identify primary assets

2. Identify supporting assets

• Supporting assets ensure the functionality or availability of primary assets. Each primary asset is dependent on one or more supporting assets, so you need to track these dependencies to perform the analysis. Support assets are typically the following:
• Additional data and information
  
• IT services
• Infrastructure services (e.g. electricity supply)
• Hardware - Computer technology, networks, and other IT technology
• Media and data carriers
• Staff
• Spaces and objects
• Once this has been done, there is a list of preset CIs that you can choose from to categorize them: trackable and non-trackable assets, software, business applications, users, location, and contracts. You can also add custom fields or build your own asset categories, if needed.

3. Identify asset guarantors

• Each asset - primary or supporting - must have a clearly designated responsible person
• Guarantors know their assets well
• Asset guarantors are responsible for managing and managing the safety of the asset throughout its lifetime.

4. Create links and connections between primary and supporting assets

• The next step is to build relationships between those assets. Who is the user owner of that laptop? Which software corresponds to that contract? Keep in mind that if you're working with more complex environments, CMDBs are the perfect feature to turn to.
• It is important to know where your data is stored or what it depends on and how any unavailability of supporting assets such as technology, services, systems, people, applications will affect the unavailability of your data.
• Links between primary and supporting assets help you visualize interdependencies.

5. Do an appraisal of all your assets

• Asset valuation is based primarily on the opinion of the guarantor of the asset
• So, with the help of guarantors, evaluate all assets for confidentiality, availability and integrity.
• The value of each asset is determined according to the impact, i.e. according to the degree of damage caused by its damage or loss.
• You now have a list of your assets. Enter them all in the asset register, enter a rating for each asset and create dependencies between primary and support assets. In the next step, you create a list of threats.

Recommended importance levels of assets according to their impact on the organization

1. Low impact is at the level of discomfort
2. Medium minor damage
3. High critical damage
4. Critical leads to serious impacts on the organization, which are long-term and irreversible

Who should the asset owner be and what are their responsibilities?

Every information asset needs an owner. This is the person who is responsible for managing it on a day-to-day basis. An asset owner isn’t necessarily the person who is legally responsible for protecting the asset. Rather, they are the person best equipped to maintain it. Depending on the asset in question, the appropriate owner might be a system administrator or the manager of the department under which the asset sits.

Asset owners are responsible for ensuring that assets are:

• Inventoried;
  
• Classified and protected;
  
• Subject to appropriate access controls; and
  
• Properly deleted or destroyed when no longer needed.
  
• hese tasks can be delegated, but the ultimate responsibility must always lie with the asset owner.

Conduct periodic audits to verify the accuracy of the fixed asset register. 

nnn

Classify and label your information assets

Once you have identified your information assets, you need to classify and label them according to their value, sensitivity, and criticality. Classification helps you determine the level of protection and control that each information asset requires, based on factors such as legal obligations, business impact, or customer expectations. Labeling helps you communicate the classification to the relevant