Information as an asset

Answer: ISO 27005 (Information security risk management) considers two types of assets:
- Primary assets: business process and activities, and information itself
- Support and infrastructure assets: hardware, software and other elements on which primary assets rely on

Considering this, you should treat both, customer information and the database storing the customer information as the assets. This makes sense because the same information can exist in many different formats (e.g., in paper reports and in people's minds), that will require completely different practices to be implemented to ensure information protection.

This article will provide you further explanation about information assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/