# How to develop an asset inventory

https://www.isms.online/iso-27001/how-to-develop-an-asset-inventory-for-iso-27001/

Relevant ISO 27001 clauses/controls:
- [ISO 27001 A 8.1.1 Inventory of assets](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.1.1%20Inventory%20of%20assets.md)
- [ISO 27001 C 6.1.2 Information security risk assessment](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%206.1.2%20Information%20security%20risk%20assessment.md)

See also:
- [Assets, Vulnerabilities, Threats, Risks](../Information%20Security/Risks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)


# 3D Asset Inventory

The criticality of an asset can be defined as the **impact of compromise** on the 3 aspects of Confidentiality, Integrity and Availability.

E.g.:

Asset | Confidentiality | Integrity | Availability
----- | --- | --- | ---
Public website | 0 | 2 | 3
Password file | 3 | 2 | 3
Debtors info | 3 | 3 | 1

We can also assess the **probability of compromise**  on the same 3 aspects:

Asset | Confidentiality | Integrity | Availability
----- | --- | --- | ---
Public website | 0 | 2 | 1
Password file | 1 | 1 | 2
Debtors info | 1 | 2 | 1

Now we can calculate the Risk Score as Impact times Probability for each of the 3 aspects:

Asset | Confidentiality | Integrity | Availability
----- | --- | --- | ---
Public website | 0 | 4 | 3
Password file | 3 | 2 | 6
Debtors info | 3 | 6 | 3


This would lead to the following priority list for risk mitigation:
1. Integrity of Debtors info
2. Availability of Password file
3. Integrity of Public website
4. etc.