What is an information asset?

What are information assets and why are they important?

Information assets are any data, information, knowledge, software, hardware, IT service, data storage, IT equipment that has value to the company and its loss, theft or misuse would be a problem for the company because without information assets, processes, decision-making and company management cannot work.

• Every organization needs information assets for its functioning and decision-making. Companies cannot exist without information.
• Every information asset is vulnerable and thus should be protected. So it is an object of information security.

Primary information assets: what you must protect and secure

• Information and data: A collection of data or information that has value, is organized and managed and enables the organization to operate business processes and decision making

Supporting, secondary information assets: what must work and you must protect and secure

• Supporting assets are those that must work in order to have data and information available
• Software: software or applications where data is stored or processed 
• Hardware: Any other IT or other equipment
  
• Services: IT services, internal or external, for example cloud data storage
• People: as carriers of knowledge and information, also as a source of risk or failure 
• Physical infrastructure: Any physical equipment, location on which other assets depend, such as a server room

How to divide information assets

Information assets are not all at the same level, they are not just a flat list. They are of different importance and have dependencies between them. Information assets have dependencies between them. The loss of one asset can damage the value of another information asset. For example; flooding a server room will damage servers and therefore the data stored on it. Therefore it is necessary to protect not only the software at the level of cyber security (against cyber attacks), but also the server room at the physical level of security (against such flooding, fire, or theft).

In information and cybersecurity, information assets are divided into primary and secondary (supporting). 

• Primary information assets are data, situated at the top of the pyramid
• Secondary, supporting information assets are everything that enables and supports the provision of data, i.e. software, hardware, physical infrastructure, services, and people

Examples of information assets

• Personal customer data
• Login data
• Backup of data
• Business plans
• Payroll processing applications
  
• Server running enterprise software
  
• Employee's laptop
• Employee's mobile phone
• Any hardware (printers, network elements, etc.)
• Services (cloud services, electricity supply, air-conditioning etc.)
• Cloud storage
• VPN's
  
• Access management processes

How to keep an information asset inventory

Creating the asset inventory is one of the first actions for information security management. The inventory is the essential foundation for other information security data. The information asset inventory should be validated regularly by the management and the asset owners. 

• for keeping an information asset inventory, use Information asset organizers for primary and supporting assets 
• maintain an overview of information assets, divided according to the above methodology or according to your own methodology
• for each asset, you keep key information such as type, confidentiality, etc.
• you can link each individual asset to others to keep them related
  
• the inventory should be updated when additional assets are uncovered.

Creating information asset inventory step-by-step

When we help teams with information security, we often start with a workshop with the information security team and management representatives responsible for individual information assets. With the team, we create a list of information assets in the following way:

1. Start with primary assets (data)

1. First, focus on your primary information assets, i.e. your data
2. Identify the key information that your organization cannot function without. Help yourself with the phrase "if we lose them, we're done" or "if someone abuses them, we have a big problem"
3. List 3-10 core information assets, this will help you not drown in detail
4. Name the impact of the destruction or loss for each primary asset. Help yourself imagine what the consequence of their loss will be for you on a scale from within "we don't know" until "it will ruin us"
5. Assess whether it is really a primary asset and not a supporting one
6. Repeat points 2-5 until you have a satisfactory result, being careful not to include supporting assets.

2. Create a list of supporting assets to the primary assets

1. Identify the key systems, software, hardware or infrastructure where your data (primary assets) is stored
2. Proceed from each primary asset with the question "where and how is the data stored"
3. Name the impact for each one. How will their unavailability affect you? On a scale from "nothing happens" to "nothing will work" 
4. Repeat points 1-3 until you have a list of everything that must work for your company to work

Maintaining information asset inventory

• Information asset register should be continuously updated by the information security team based on new assets, risks, workshops, incidents and inquiries from other employees
• It should be validated regularly by management and asset owners, every six months or once a year.
• We recommend planning regular meetings on the topic of information security, where one of the items on the agenda is a review of the list of your information assets
• Top management should check that all information assets they know and care about are present
• Information assets owners should verify that they recognize and understand all assets assigned to them and are willing to take responsibility