Inventoried information assets are categorised based on defined criteria that includes importance to the delivery of the function
Context and Guidance: Categorisation of assets is important for many cybersecurity and operational activities, such as incident response, risk management, threat management, and cybersecurity architecture planning. Information should be categorised according to its sensitivity, value, criticality, interdependencies with other assets, legal requirements, whether the data is collected by, held by, or shared with a third party, or other scheme, including any scheme that is required by regulation or other compliance factor. Categorisation provides another level of important description to an information asset that may affect strategies to protect and sustain it. These are examples of categorisation schemes: • Confidential, Secret, Top Secret • Regulated, Unregulated, Public • Restricted, Private, Public Whatever scheme is used, the importance of the asset to the delivery of the function should be considered. Additionally, when identifying categories, consider that many cybersecurity activities generate information assets that need to be protected, such as configuration baseline information, risk registers, and even asset inventories themselves.
Related Practices • Input From: Implementing ASSET-2a provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-2c, ASSET-2d.