July 15, 2012, 2:26 PM — One of the key elements of ISO 27001 certification involves doing a comprehensive risk assessment. In order to combat the risks to your organization’s assets, you need to identify the assets, consider the threats that could compromise those assets, and estimate the damage that the realization of any threat could pose. Losing trade secrets, for example, could pose serious threats to your company's financial well being. Some estimates claim that US companies lose $100 billion annually due to the loss of proprietary information. This link will take you to one.
One of the first steps in doing a risk assessment involves identifying the various entities that pose threats to your company's well being -- hackers, disgruntled employees, careless employees, competitors? Not all threats fall into the category of "bad guys". You might also have to consider natural disasters such as power outages, data center flooding, fires, and other events that damage cabling or make your offices uninhabitable.
You then need to identify the assets that you are trying to protect with special attention to those that are most critical. My boss likes to call the most critical information assets our "secret sauce". What gives your company its edge and would be most harmful if compromised? What critical components in your network infrastructure would halt production if they failed? And don't restrict your thinking to computers and online data. Make sure you consider all sorts of assets from automated systems to paperwork stored at off-site storage facilities. Even know-how can be considered a critical business asset.
You also need to consider the vulnerabilities inherent in your systems, processes, business locations, etc. What are the "weak links" in your systems and processes? In what ways might your production lines be broken? Maybe you have old equipment that's going to fail just when you most need it. Maybe you have no redundancy for your web services. Maybe a legacy system has a password that everybody knows, including several people you fired last month. Maybe a critical service is using the default admin password for some particular application it relies on. Make sure your ISO 27001 implementation team considers all the weaknesses they can identify and creates records that you keep in a very safe place! After all, the last thing you want is for anyone outside your small group to be able to access a complete list of all your vulnerabilities.
If you've got a good implementation team with healthy connections to the various parts of your organization, you will probably have a leg up on identifying your most critical assets across the organization.