Quiz Entry - updated: 2026.07.14
What are the four standard categories of Assets in information security?
Data, IT systems, facilities, and people — that's the universe of things worth protecting.
| Category | Examples |
|---|---|
| Daten (Data) | Customer records, IP, source code, credentials, configurations |
| IT-Systeme (IT systems) | Servers, network gear, endpoints, SaaS, OT/ICS |
| Einrichtungen (Facilities) | Data centres, factory floors, offices, power |
| Mitarbeiter (People) | Employees, contractors, knowledge they carry, their well-being |
Why this matters for risk assessment:
- You can't analyse risk without an asset register — if you don't know what you have, you can't decide what's worth protecting.
- Different asset types attract different threats: data → exfiltration; systems → ransomware; facilities → physical sabotage; people → social engineering, insider risk.
- Loss of people (key engineer leaves, gets sick) is a real risk that purely technical risk models often ignore.
Tip: ISO/IEC 27005 explicitly requires an asset inventory at the start of any information-security risk assessment.