How to Evaluate Information Assets in ISMS (ISO27001)?

Listing information assets

In order to assess information in the company, first, we need to list up all information and information medium to evaluate the value and current security measures one by one.

In ISMS, we call information in the company as information assets. Information assets are any assets containing information. Files such as Excel or Word contain information. Plus PCs and mobile devices storing those files are also information assets. Data in the server is another form of information assets. Furthermore, paper or cabinets which contain data are also information assets.

Evaluating information assets

Once we list all the information assets, we need to evaluate the value of each information asset. Usually in ISMS, the value of information is evaluated according to these 3 factors, confidentiality, integrity and availability. It is sometimes called as the CIA.

Confidentiality

Confidentiality is how confidential the information needs to be. If the information is confidential, the people who can access the information should be limited.

Integrity

Integrity is how much information should not be changed. For example, past financial statements should not be changed so that we can say financial statements are information which need to have high integrity.

Availability

Availability is to evaluate how much information is available. If a system is down, you can not use that system. If it is the system which can not be suspended, we can say that information assets need to have high availability.

In ISMS, there is no specific way of evaluation stated. Each company can decide how to evaluate information assets. The easiest way is to evaluate by scoring for each CIA and add or multiply to get the value. For example, evaluate each CIA from 1 to 3 and add them. Then, the added value will be from 3 to 9 so define the information assets with the value over 7 as important.

To be consistent, it would be better to define the meaning of each value. For example, for confidentiality, define 1 as information which can be public, 2 as information which can be seen by employees and 3 as information which needs to be limited to certain people in the company to see.

Evaluating vulnerability

As evaluating the value of information assets, evaluation for vulnerability is also necessary in ISMS. To evaluate vulnerability, we need to list up threats that may happen to the information asset and evaluate whether those threats are frequent or not, plus evaluate whether enough security measures are done or not.

Eventually, we will be able to know information assets with high risk by filtering with high threat frequency and low security measure score.

How information assets assessment works

Once all information assets are evaluated by its value and risk, we can filter valuable information assets. And, among those, if there are information assets with high risk, those information assets are the ones that need to have some security measures.

Let’s say there is an online storage system which is used in a company. Since files in online storage will contain confidential data so that score of confidentiality will be high. Plus, it will be a big trouble if there are some lost files from online storage so that the score for integrity is also high. Lastly, if business documents stored in online storage are used frequently and if those documents need to be available anytime, the score of availability will be high. Then, we can conclude the online storage system is information assets with high value.

For an online storage system, unauthorized access is one of the threats. Recently, there are many attempts to login to a system by cracking bots. This makes the frequency of threats high. If the company owns this online storage system but does not check the complexity of users’ passwords, it can be assessed as a low security measure.

In conclusion in this case, the value as an information asset for this online storage system is high. Also, the threat of unauthorized access is frequent. However, if the company doesn’t check whether the user is setting strong passwords, this information asset is under high risk. Therefore, this company can conclude that they should consider additional security measures on this online storage system.