Regarding asset identification, when dividing into primary assets(business process and information assets) and supporting assets (hardware, software, people, documentation etc) - how should you assess regarding information assets what is categorized as a primary asset vs a supporting asset?
Examples: Would you say contracts are a primary asset or a supporting asset. How about job descriptions, NDA, SLA, DPA, Sales offers. Is there a good technique on how to categorize properly? In the risk assessment table template from Advisera, only suggested assets are listed.
ISO 27001 does not prescribe asset categorization, so you do not need to implement further categorization than that is already provided on the suggested list of assets on the risk assessment table template (add such categorization will only unnecessarily complicate the process.).
Contract, job descriptions, NDA, SLA, and DPA are documentation, while sales offers is information (unless this refers to the name of a document)