Protecting assets with multiple security levels

Answer: Your approach on the risk assessment is valid, since you will have to state the different impact levels, that will lead to different risk values, but in your asset inventory there is no need to have multiple rows if you can group the assets and the information about them. In your example you have in the asset inventory the asset "database", and in your risk assessment you will have risks like "customer A's database loss" and "customer B's database loss", with differe nt risk values.

This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/