Answer: Good practice suggests that information assets classification should be done through a four-steps process:
- information assets should be entered in an Inventory of Assets, so you know which assets to protect
- information assets should be classified, considering their value to the organization and the impact if compromised
- information assets should be labeled, so people can identify its classification
- information assets should be handled in a secure way, considering their classification level
Answer: To properly identify info assets you have to consider your ISMS scope and the objectives of your ISMS, because from them you can identify which assets you have to protect. For example, if one obje ctive of the ISMS is to ensure the protection of the customer support service running on your organization's headquarter, you will know you have to consider the hardware, software and databases located on the headquarter's premises.