I have a question on “what is an assets”. We are having a bit of trouble deciding what an asset is. Do you have a clear definition we could use.
Our current understanding is:
We define the scope of the ISMS. In our case we are a small company so the whole company is in scope.
We know the Toolkit Documents and records are within scope, so will for the core document set in the DMS.
Now for the rest ... Our understanding of identifying assets: documents, records, hardware, and so on. Is to ask the question: Does this asset have a security element to it to make it in scope? For example, a work instruction procedure to change a users password would be in scope. Whereas, a marketing brochure (that did not cover any product security) would not be regarded as an ISMS asset (accepting such a document – as an asset- may fall the under remit of another ISO Standard).
Your understanding that an asset needs to have a security element for it to be considered in the ISMS scope is correct.
To ISO 27001 an asset is anything of value to the organization in terms of confidentiality, integrity, and availability of information.
Considering that, if the asset is related to information that your ISMS needs to protect, then it needs to be considered. In your examples, users' passwords need to be protected, making the work instruction procedure to change users' password part of the scope, while marketing brochure, that does not need to be protected, would not be considered.
In the Risk Assessment Sheet included in the toolkit there is a list of assets you can use.