The information asset inventory includes information assets within the function that may be leveraged to achieve a threat objective
Context and Guidance: These are assets that may be used in the pursuit of the tactics or goals of a threat actor. It is important to consider that a threat actor may have multiple objectives and that those objectives may change over time or in different situations. Achievement of a threat objective may not cause immediate harm to an organisation but would increase the likelihood of the realisation of a cyber risk. Identification of assets within the function that may be leveraged to achieve a threat objective should focus on the techniques used by threat actors and the potential for those techniques to be applied to the organisation’s assets. An example of assets within the function that may be leveraged to achieve a threat objective is information such as personally identifiable information that may cause harm to the organisation or its stakeholders if lost, stolen, or disclosed. Note that identification of this set of assets should be based on an assessment of risk.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-2a, ASSET-2b, ASSET-2f, ASSET-2g.