Help center

Assets

An asset is anything of value to your organisation that could be impacted if something goes wrong. It's the logical starting point for risk management: if you don't know what you're protecting, you can't know what to protect.

The 7 categories

Application

Business software (ERP, CRM, helpdesk, customer-facing platform).

Infrastructure

Server, network, datacentre, endpoints, VPN.

Data

Customer database, HR records, source code, backups, logs.

Contract

Agreement with a third party: hosting, supplier, insurance.

Person

Key skill (internal or outsourced): DPO, CISO, senior dev.

Supplier

Critical vendor: AWS, Microsoft, subcontractor.

Process

Essential business procedure: on/off-boarding, access management, deployment, incident response.

The 1-5 criticality scale

Criticality represents importance to the business — not a monetary value. Ask yourself: "if this asset disappears tomorrow, what happens to my company?"

Very low. Easily replaced, no business impact.

Low. Temporary inconvenience, business continues.

Moderate. Reduced productivity. E.g. internal helpdesk.

High. Significant impact on customer service. E.g. CRM.

Critical. Business stops without it. E.g. production ERP, primary customer DB.

Best practice: the 80/20 rule

Don't try to inventory all your infrastructure. Focus on the 10 to 30 critical assets that cover 80% of your exposure. Auditors prefer a short, accurate inventory over an exhaustive but fuzzy listing.

The sleep test: if you wake up at night thinking about something that could break your business, it's probably an asset of criticality 4 or 5. Document it.