Does a list of information assets exist? Is it current?
All assets that may affect the organization’s security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process. • How are information assets classified? Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised. • Is a high-level security policy in place? Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management’s commitment to protecting information and establish the business’ overall security framewor
