Last time we talked about the benefits of an ISMS. The cornerstones of an ISMS are knowing what your assets are and then conducting Risk Management processes based on the value of those assets versus the value of the control against a likelihood and consequence matrix.

Firstly, what do we mean by some of these things? “Information Asset” is bandied around pretty loosely and could mean a lot of different things because it is a subjective term. For the purposes of this article, and for most of the work we do, here is how we move the terms from subjective to objective:

An asset is anything that has value, including:

  • Systems or groups of systems (did I hear classes?, more on that later)
  • Physical Things
  • People including their experience and qualifications
  • Reputation
  • Software

Information is meaningful data, the structure of which, is unimportant.

The Elephant Problem

  • Assets should be defined at a level of detail that allows them to be managed
  • Too much granularity creates elephants to eat, large unwieldy tasks that are hard to consider
  • Too little detail reduces effectiveness

So…. how do you eat an elephant? One bite at a time?**

Divide and Conquer

One of the hardest things to get started on is managing risk where assets are poorly defined. Quite often people start with a individual device based database and work from the ground up. Applying a risk assessment to every single network device, server, endpoint, door etc gets kind of silly and almost always fails.

If you had a handful of things to assess initially, wouldn’t that be easier?

The Asset Class

The idea of an asset class is to roll up groups of platforms, systems and infrastructure into more manageable constructs. Less that 10 for a first pass is ideal. The classes will depend on your organisation, your structure and your appetite for Risk Management. Initial candidates for Asset Classes are:

  • Core financial systems and associated infrastructure
  • HR systems and associated infrastructure
  • IT and associated infrastructure
  • Source code systems
  • Corporate systems
  • Physical assets which underpin any classes including buildings and data centres
  • Key people

While we still use spreadsheets or proprietary GRC tools to carry out our risk component, managing complexity allows us to:

  • Get started quicker
  • See results in a timely fashion
  • Not get “lost in the weeds” of detail
  • Make changes to the approach early without having to change large datasets of information


**Footnote, no elephants were harmed in the production of this article, it’s a metaphor, we like elephants, please don’t flame us on it.