Overview
An asset in ISO 27001 is anything of value to your organization that requires protection. Assets include information, systems, physical equipment, services, people, and organizational reputation that support business operations and require confidentiality, integrity, or availability safeguards.
What it means in practice
Assets are what you're protecting with your ISMS. Your risk assessment starts by identifying assets, then determines what threats could harm them and which controls are needed for protection.
Real-world example: A SaaS company's assets include: customer database (information), source code (intellectual property), production servers (physical/technical), employees with specialized skills (people), third-party cloud services (services), and brand reputation (intangible). Each requires different protection measures.
Types of assets
Information assets
Structured data: Databases, spreadsheets, records
Documents: Contracts, policies, procedures, reports
Intellectual property: Source code, patents, trade secrets, designs
Personal data: Customer information, employee records (GDPR-regulated)
Financial data: Transaction records, banking details, financial statements
Communications: Emails, chat messages, recorded calls
Physical assets
Hardware: Servers, workstations, laptops, mobile devices
Storage media: Hard drives, USB drives, backup tapes
Infrastructure: Network equipment, cables, power systems
Facilities: Data centers, offices, server rooms
Paper documents: Printed records, contracts, confidential files
Software assets
Applications: Business software, CRM, ERP systems
Operating systems: Server and workstation OS
Development tools: IDEs, compilers, build systems
Custom software: In-house developed applications
Licenses: Software entitlements and rights
Services
IT services: Cloud platforms, SaaS applications, managed services
Utilities: Power, cooling, telecommunications
Support services: Maintenance contracts, security monitoring
Third-party providers: Outsourced functions, consultants
People
Specialized expertise: Skills that are difficult to replace
Key personnel: Individuals critical to operations
Institutional knowledge: Undocumented processes known by specific people
Intangible assets
Reputation: Brand value, customer trust
Goodwill: Business relationships, market position
Regulatory compliance: Licenses, certifications
Asset identification scope: Focus on assets within your defined ISMS scope. If your scope is "customer-facing web application and supporting infrastructure," assets outside that boundary (like internal HR systems) don't need to be cataloged for ISO 27001 purposes.
Asset inventory (A.5.9)
Why inventory is mandatory
ISO 27001 control A.5.9 requires "inventory of information and other associated assets." You can't protect what you don't know you have. The asset inventory is the foundation of risk assessment.
What to include in inventory
For each asset, document:
Asset ID: Unique identifier
Asset name/description: Clear identification
Asset type: Information, physical, software, service, etc.
Owner: Person responsible for the asset
Location: Physical or logical location
Classification: Sensitivity level (Public, Internal, Confidential, etc.)
Value: Importance to business (optional but helpful)
Dependencies: Other assets it relies on or supports
Inventory formats
Spreadsheet: Simple, works for small organizations
Database: Better for medium/large organizations with many assets
GRC tool: Integrated with risk assessment and control management
Configuration management database (CMDB): Technical assets tracked in IT systems
Common mistake: Creating an exhaustive inventory of every pen and paperclip. Focus on assets material to information security risks. A 500-line asset inventory of trivial items is harder to maintain than a focused 50-item list of critical assets.
Asset ownership
What asset ownership means
The asset owner is responsible for:
Defining classification and protection requirements
Approving access to the asset
Ensuring appropriate controls are applied
Regular review of asset security
Authorizing asset disposal or decommissioning
Owner vs. custodian
Owner: Business role accountable for the asset (usually manager or executive)
Custodian: Technical role managing day-to-day asset security (often IT team)
Example: The VP of Sales might own the customer database (business accountability), while the database administrator is the custodian (technical management).
Best practice: Assign owners at an appropriate level - senior enough to have authority and accountability, but close enough to the asset to make informed decisions. A C-level executive owning 200 individual assets can't effectively manage them.
Asset classification (A.5.12)
Why classify assets
Classification ensures assets receive appropriate protection based on their sensitivity and value. Not all data needs the same security - classification enables proportional control selection.
Common classification schemes
Basic (3 levels)
Public: Can be freely disclosed
Internal: For internal use, not public
Confidential: Sensitive, restricted access
Standard (4 levels)
Public: No confidentiality impact if disclosed
Internal: Low impact from disclosure
Confidential: Medium-high impact from disclosure
Secret/Restricted: Severe impact from disclosure
Detailed (5+ levels)
Some organizations add levels like "Proprietary," "Sensitive," or regulatory-specific classifications (PII, PHI, PCI).
Classification criteria
Determine classification based on impact to CIA if compromised:
Confidentiality: Impact of unauthorized disclosure
Integrity: Impact of unauthorized modification
Availability: Impact of loss or unavailability
Also consider:
Legal/regulatory requirements (GDPR, HIPAA, PCI DSS)
Contractual obligations (customer NDAs, supplier agreements)
Business value and competitive sensitivity
Classification guidelines: Create clear decision criteria for each level. For example, "Confidential: Personal data, financial records, trade secrets, or data whose disclosure would cause significant business harm or regulatory penalties."
Asset valuation
Why value assets
Asset value helps prioritize protection efforts and justify control investments. High-value assets warrant stronger (and more expensive) controls.
Valuation approaches
Quantitative (financial)
Replacement cost (hardware, software licenses)
Revenue impact if unavailable
Potential fine or penalty if compromised
Market value or intellectual property value
Qualitative (business impact)
Critical: Essential to business survival
High: Significant business impact
Medium: Notable impact but alternatives exist
Low: Minimal impact if lost or compromised
Factors affecting asset value
Replacement cost and effort
Time to restore or recreate
Revenue dependency
Regulatory importance
Competitive advantage provided
Reputational impact if compromised
Value isn't just cost: A customer database's replacement cost might be modest, but its value includes years of relationship building, competitive intelligence, and GDPR compliance obligations. Value encompasses all business impacts, not just financial replacement cost.
Asset lifecycle management
Acquisition
Add to asset inventory when acquired
Assign owner and classify
Apply appropriate controls based on classification
Use
Operate within acceptable use policies (A.5.10)
Maintain controls throughout lifecycle
Review access permissions periodically
Modification
Update inventory when assets change
Reassess classification if use or sensitivity changes
Follow change management processes (A.8.32)
Transfer
Maintain confidentiality during transfer (A.5.14)
Update ownership in inventory
Ensure controls remain in place
Disposal
Securely delete information (A.8.10)
Physical destruction if needed
Remove from inventory
Return leased/licensed assets (A.5.11)
Assets and risk assessment
Asset-centric risk assessment
Common risk assessment approach:
Identify assets
Determine asset value/classification
Identify threats to each asset
Identify vulnerabilities that threats could exploit
Assess impact if threat exploits vulnerability
Evaluate likelihood of occurrence
Calculate risk level (impact × likelihood)
Select controls to reduce risk
Asset dependencies
Consider dependencies in risk assessment. If Asset A depends on Asset B, threats to Asset B also threaten Asset A.
Example: Your customer-facing web application depends on the database server. Database risks indirectly become application risks.
Related concepts
Risk Assessment - Evaluating threats to assets
Information Classification - Categorizing assets by sensitivity
CIA Triad - Protection objectives for assets
Control - Measures protecting assets
Getting help
Use ISMS Copilot to generate asset inventory templates, create classification schemes appropriate for your business, and link assets to risk assessments efficiently.