Could you please clarify the mapping between Asset value “CIA “ and the information classification because is not clearly defined in the Advisera asset classification page and we have to mentioned a mapping in the information classification policy.
The link between CIA and the information classification.
Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets, and that for information classification, the asset value is defined in terms of legal requirements, value, criticality, and sensitivity to compromise due to realized risks, not by the CIA.
Considering that, the reason why we do not have such mapping is that it is not prescribed by the standard, and it only complicates the things (like risk assessment and information classification), because different levels of CIA can be associate to the same classification level and vice-versa.
Regarding mapping, what you can do is use in the Information Classification Policy the impact value for the asset, identified in the risk assessment, as the basis for the classification.