2. Knowledge base
  3. NIS2 Cybersecurity
  4. What are Primary Assets

What are Primary Assets

Last updated: 2025-11-04
See our solution:
NIS2 Compliance Software
Was this article helpful?
117 of total 119 found this helpful.

Primary assets are the things that directly create value for your business and must be protected first. These are usually information, business processes, or services that deliver core business value to customers (products, services, critical data, customer-facing processes). Everything else (hardware, software, networks, people, facilities, vendors) are supporting assets that enable primary assets to function.

Because primary assets keep the business running, companies must protect them to avoid downtime and loss. In information security and cybersecurity, they are the top priority because they are essential to the business. If they are lost, stolen, or misused, they can create serious business risk.

  • Primary assets drive business outcomes and sit at the top of the value chain
  • Primary assets include information assets, customer-facing services, or production processes/technologies critical to the company’s survival
  • Supporting assets enable primary assets to operate—without them nothing works, but they are not why the company exists (internal processes, IT infrastructure, HR systems, etc.)

See here how to identify your primary assets.

Examples of primary assets

  • Personal customer data
  • Login data
  • Backup of data
  • Business plans
what are primary assets

Operation Dependencies on supporting IT Assets

Assets are not a single flat list. They vary in importance and have dependencies. The loss of one asset can reduce the value of another asset. They also depend on supporting assets. For example, a data center outage or fire can take down applications and the data stored in them. You need to protect not only software at the level of cybersecurity (against cyberattacks) but also the data center and facilities at the level of physical security (against fire, theft, flooding).

  • Supporting information assets are everything that enables primary assets to exist and operate: software, hardware, physical infrastructure, supporting services, and people.
  • Software: all software and applications where data is stored or processed.
  • Hardware: servers and other IT or business equipment that runs the software.
  • Networks and communications infrastructure: enable secure data transmission.
  • Physical infrastructure: rooms and facilities, physical equipment, and locations (for example, a server room or data center) where hardware or network infrastructure is housed.
  • People: carriers of knowledge and information, and also a potential source of risk or failure.
  • Purchased services and processes: IT and outsourced services, such as cloud storage, internet connectivity, or electricity supply.

How to Keep an Primary Asset Inventory

Creating the asset inventory is one of the first actions for information security management. The inventory is the essential foundation for other information security data. The information asset inventory should be validated regularly by the management and the asset owners. 

  • for keeping an information asset inventory, use Information asset organizers for primary and supporting assets 
  • maintain an overview of information assets, divided according to the above methodology or according to your own methodology
  • for each asset, you keep key information such as type, confidentiality, etc.
  • you can link each individual asset to others to keep them related
  • the inventory should be updated when additional assets are uncovered.
information asset register

Creating information asset inventory step-by-step

When we help teams with information security, we often start with a workshop with the information security team and management representatives responsible for individual information assets. With the team, we create a list of information assets in the following way:

1. Start with primary assets (data)

  1. First, focus on your primary information assets, i.e. your data
  2. Identify the key information that your organization cannot function without. Help yourself with the phrase "if we lose them, we're done" or "if someone abuses them, we have a big problem"
  3. List 3-10 core information assets, this will help you not drown in detail
  4. Name the impact of the destruction or loss for each primary asset. Help yourself imagine what the consequence of their loss will be for you on a scale from within "we don't know" until "it will ruin us"
  5. Assess whether it is really a primary asset and not a supporting one
  6. Repeat points 2-5 until you have a satisfactory result, being careful not to include supporting assets.

2. Create a list of supporting assets to the primary assets

  1. Identify the key systems, software, hardware or infrastructure where your data (primary assets) is stored
  2. Proceed from each primary asset with the question "where and how is the data stored"
  3. Name the impact for each one. How will their unavailability affect you? On a scale from "nothing happens" to "nothing will work" 
  4. Repeat points 1-3 until you have a list of everything that must work for your company to work

Maintaining information asset inventory

  • Information asset register should be continuously updated by the information security team based on new assets, risks, workshops, incidents and inquiries from other employees
  • It should be validated regularly by management and asset owners, every six months or once a year.
  • We recommend planning regular meetings on the topic of information security, where one of the items on the agenda is a review of the list of your information assets
  • Top management should check that all information assets they know and care about are present
  • Information assets owners should verify that they recognize and understand all assets assigned to them and are willing to take responsibility
Recommended to know
Where to go next