The first step in meeting the ISO27001 requirements for risk assessments is to identify all the information assets (and ‘assets’ includes information systems – which should be so defined in your information security policy) within the scope (4.2.1 - a) of the ISMS and, at the same time, to document which individual and/or department ‘owns’ the asset.
The asset identification exercise can only take place once the scope9 has been finalised.
ISO17799 identifies, in A.7.1.1, the six classes of assets that have to be considered, each of which should be referenced in your information security policy statement. They are as follows:
• Information assets includes information printed or written on paper, ...