Could you please clarify the relation between having Asset management process in place and Information classification policy.
- Our Assets (Laptop, Desktop, Servers and SW license) and we have defined the full cycle in the process
- Our Information classification is mainly for documents and processes (Confidential, Restricted, Internal use)
Thus I would appreciate it if you can explain/clarify the following points:
- Do we need to classify our Assets or label it as (Confidential, Restricted, Internal use) or do we need to add another category for assets
- Do we need to classify the info on Assets !! but if Laptop (as an asset) has documents confidential and documents restricted ? in this case laptop as an asset
Is considered to be confidential or restricted ?
The relation between them is that information classification policy is applied to the assets considered relevant to the ISMS scope, and these are identified and managed through the asset management process.
But please note that neither the Information Classification Policy and the Assessment Management Process, as well as information labeling, are prescribed by ISO 27001. They are only needed if there are relevant risks, or legal requirements, demanding their implementation.
Considering that, and your started scenario, information, and processes are also assets (you can add, for example, the categories "information" and "processes"), and the other stated assets also need to be classified (as Confidential, Restricted, or Internal use).
In case you have an asset like a laptop storing information with different classifications, you must use the highest classification to classify the laptop (in your case the laptop is to be considered confidential).