Chapter 4. Information Assets and the Information Security Risk Assessment
An asset-based information security risk assessment is the key to any ISO27001 ISMS, forming the lion’s share of the Plan phase of the initial P-D-C-A cycle for implementation.
To undertake the risk assessment it is necessary to have defined the scope of the ISMS, and of course to have understood the concept of information security assets: it is the assets that are the subject of the risk assessment.
For the risk assessment to be effective a comprehensive information-asset register needs to be produced. That is to say, a list of everything that has value to the organisation, including information, information processing and storage equipment (every server, computer, laptop, ...