LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four standard categories of Assets in information security?

Data, IT systems, facilities, and people — that's the universe of things worth protecting.

Category Examples
Daten (Data) Customer records, IP, source code, credentials, configurations
IT-Systeme (IT systems) Servers, network gear, endpoints, SaaS, OT/ICS
Einrichtungen (Facilities) Data centres, factory floors, offices, power
Mitarbeiter (People) Employees, contractors, knowledge they carry, their well-being

Why this matters for risk assessment:

  • You can't analyse risk without an asset register — if you don't know what you have, you can't decide what's worth protecting.
  • Different asset types attract different threats: data → exfiltration; systems → ransomware; facilities → physical sabotage; people → social engineering, insider risk.
  • Loss of people (key engineer leaves, gets sick) is a real risk that purely technical risk models often ignore.

Tip: ISO/IEC 27005 explicitly requires an asset inventory at the start of any information-security risk assessment.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026