Information Asset Identification — Standard Definition

Information Asset Identification — Standard Definition

Status: Draft v0.2.12 | Author: Security Director | Date: 2026-02-25

Applicable Standard: ISO/IEC 27002:2022 Control 5.9

1. Purpose

This document defines the criteria for identifying information assets at Cybercraft. It establishes consistent and verifiable criteria for determining what to register in the Asset Register and what not to register.

By referencing this document, any person or AI making a determination should arrive at the same classification result.

2. Normative References

This document is based on the following standards and documents:

Reference DocumentRelevant ClauseDescription
ISO/IEC 27001:2022Annex A 5.9Inventory of information and other associated assets
ISO/IEC 27002:2022Control 5.9Implementation guidance for asset identification, classification, ownership assignment, and component documentation
ISO/IEC 27001:2022Annex A 5.10Acceptable use of information and other associated assets
ISO/IEC 27001:2022Annex A 5.11Return of assets
ISO/IEC 27001:2022Annex A 5.12Classification of information
CybercraftISMS-POL-ASM-01Asset Management & Information Classification Policy

2.1. ISO 27001:2022 Annex A 5.9 — Standard Text

"An inventory of information and other associated assets, including owners, should be developed and maintained."
— ISO 27001:2022 Annex A 5.9

2.2. ISO 27002:2022 Control 5.9 — Key Implementation Guidance

Asset Identification and Documentation Requirements:

Component Documentation Requirements (2022 Revision Addition):

"Components that sustain technology assets are recorded and interrelated, including databases, storage, software components and sub-components."
— ISO 27002:2022 Control 5.9, Implementation Guidance

This clause is the normative basis for the Component and Resource concepts defined in this document.

Asset Inventory Record Items (ISO 27002:2022 5.9):

Separately from the asset types above, the standard requires the following to be recorded in the inventory for each asset: unique identifier, location, classification, owner, version (where applicable), and licence expiry date (where applicable). These are attributes of the asset, not examples of asset types.

Asset Types Defined by the Standard for Inventory Inclusion:

ISO 27002:2022 Asset TypeDefinitionExamples
InformationData stored, processed, or transmitted by the organisationCustomer databases, financial records, source code, intellectual property
SoftwareApplications, system software, development toolsOS, business applications, development tools, middleware
PhysicalHardware, physical equipmentServers, laptops, network equipment, removable media
ServicesCloud services, outsourced utilitiesSaaS, PaaS, hosting, outsourced services
📌
ISO Standard → Cybercraft Mapping

ISO 27002:2022 defines the four types above, but does not provide detailed classification criteria for cloud/SaaS-centric environments. §5 (Asset Type Taxonomy) of this document is a specialisation of the ISO standard's four types, tailored to Cybercraft's operational environment. The mapping is as follows:

Cybercraft TypeISO 27002 TypeNotes
Service EnvironmentServicesSaaS tenant/org/account
Identity PlatformServicesAuthentication-specific service environment
Cloud InfrastructureServicesIaaS/PaaS subscription
DomainServicesDomain registration service
License / SubscriptionSoftware (intangible)Intangible asset — subscription agreement
Physical AssetPhysicalPhysical equipment
Information / DataInformationIdentifiable datasets requiring protection
🔍
Relationship with CIS Controls v8.1

CIS Controls v8.1 separates asset identification into three Controls: Control 1 (Hardware — network scan-based discovery), Control 2 (Software — software inventory scan), and Control 16 (Application Software — authorised software list). These three Controls are discovery entry points, not classification categories — they define "how to find" rather than "what is an asset."

Cybercraft's Track A/B follows the same structure — two independent discovery lenses. CIS uses three because on-premises environments require different HW/SW discovery methods; Cybercraft uses two because a 100% cloud environment merges HW/SW under a contract/control lens. Coverage is equivalent; classification axes differ.

Shadow IT / unauthorised devices and apps fall under security monitoring, not asset identification, in both CIS and Cybercraft frameworks.

2.3. Asset Owner Responsibilities (ISO 27002:2022 Control 5.9)

📌
Scope Note: In the responsibilities below, "assets" includes both assets already registered in the inventory and assets that should be registered under the criteria of this document. Owners bear the responsibilities below for all assets within their purview, regardless of whether registration is complete.

Asset Owner responsibilities as defined by the standard:

  1. Ensure all data and related resources are registered and documented in the inventory
  2. Ensure all assets are correctly classified and protected
  3. Periodically review classifications to maintain accuracy
  4. Ensure components sustaining technology assets are recorded and interrelated
  5. Establish acceptable use requirements for assets (→ linked to A.5.10)
  6. Periodically review that access restrictions align with classification and remain effective
  7. Ensure assets are safely handled and removed from the inventory upon deletion or disposal
  8. Identify and manage risks associated with assets
  9. Support roles and responsibilities for personnel managing information

2.4. Information Classification Requirements (ISO 27001:2022 Annex A 5.12)

Each asset in the Asset Register must be classified according to the information classification scheme:

Classification LevelDefinitionExamples
ConfidentialDisclosure would cause serious harm to the organisation. Access restriction required.Customer data, credentials, financial systems
InternalFor internal use only. Not suitable for external disclosure.Internal policies, employee information, infrastructure configurations
GeneralMay be publicly disclosed. Impact of disclosure is minimal.Public website content, marketing materials

This classification scheme is implemented as the Classification property in the Asset Register.

3. Scope

⚠️
Out of Scope — BYOD Devices and Personal Software/Hardware

Personally owned devices (BYOD), personal software, and personal hardware are not within the scope of this document or the Asset Register. Track A Q1 ("Did we contract, register, or create it?") → No → Not a Cybercraft asset.

  • BYOD device management: Refer to BYOD Security Policy (ISMS-POL-BYOD-01) and Device Lifecycle Procedure (ISMS-PROC-BYOD-01). Device inventory is managed in Intune/Entra ID.
  • Personal apps/software management: Refer to Application & Data Governance Policy (ISMS-POL-ADG-01).
  • Detailed classification criteria: see §6.5.

3.1. Key Terms

Key concepts used from §4 onwards are defined here. For the full glossary, see Appendix A.

TermDefinitionLayer
Technology AssetA service environment, infrastructure, physical equipment, or domain that the organisation contracts, registers, or creates and over which it holds controlL1 — Asset Register
Information AssetAn identifiable dataset that requires protection, classification, and ownership assignmentL1 — Asset Register
LicenseA subscription agreement purchased to use a service (intangible asset)L2 — License Inventory
ComponentA feature or service provided within an asset. Cannot be independently terminated or controlled.L3 — Asset page body
ResourceAn individual instance created within a cloud subscription (legacy equivalent: "server")L3 — Asset page body
🔑
Track A (Technology Assets) and Track B (Information Assets) are independent assessment tracks. The same item cannot fall under both tracks simultaneously; however, an information asset may be contained within a technology asset — but that is a separate registration target (see §4).

4. Core Principle

This document identifies assets through two tracks:

TrackTargetKey QuestionsDetail
Track A — Technology AssetsService environments, identity platforms, cloud infrastructure, domains, physical equipment, licencesDid we contract it? → Do we control it? → Can it be independently terminated?§4.1
Track B — Information AssetsLogical datasets requiring protectionIs it identifiable? → Does it need classification? → Does it need separate protection?§4.2
📌
The two tracks are independent. Registering a technology asset (e.g., M365 Subscription) does not automatically make its data an information asset. Conversely, registering an information asset (e.g., customer data) does not make its storage location (e.g., SharePoint site) a separate asset. Apply each track's 3-Question independently.

4.1. Track A — Technology Asset Identification: 3-Question Test

⚖️
Technology Asset = A service environment that our organisation contracts, registers, or creates and over which it holds control

This principle is verified through the following questions:

  1. Did we create or contract it? (tenant, organisation, account, domain registration, subscription agreement)
  2. Do we control it? (we manage configuration, users, data, and access controls)
  3. Can it be independently terminated? (terminating it independently would stop only that service)

All three questions Yes → Register as an asset

✈️
Analogy: The Airline Ticket Principle

The aircraft is owned by the airline, not the passenger. The passenger's assets are the seat ticket (licence) and the membership account (tenant/account). The product (platform) itself is the vendor's asset.

Asset Discovery Methodology

🔍
Contract-Based Discovery

In Cybercraft's 100% cloud environment, the act of contracting/subscribing itself is the entry point for asset discovery. When adopting SaaS, the Entra ID Admin Consent Workflow serves as the approval and discovery channel. Technical network scanning (CIS Controls approach) is replaced by contract-based discovery in cloud environments.

  • Track A: Subscription, contract, or account creation = asset discovery. Admin Consent Workflow = SaaS discovery channel.
  • Track B: Identifying datasets requiring protection during business operations = discovery. Not technical scanning, but data classification activity.
  • Separate SaaS Discovery procedure unnecessary: With user consent blocked and Admin Consent Workflow enabled, no new app can be registered in the tenant without administrator approval. Therefore, periodic discovery procedures are unnecessary; unauthorised app detection (Shadow IT) falls under security monitoring, not asset identification.

Detailed policy: Asset Management Policy (ISMS-POL-ASM-01) §4.3.

4.2. Track B — Information Asset Identification: 3-Question Test

⚖️
Information Asset = An identifiable dataset that requires protection, classification, and ownership assignment

Determined by different questions from technology assets:

  1. Is it an identifiable dataset? — A logical unit that can be named ("customer data", "financial data", "source code")
  2. Does it require Confidential or Internal classification? — Would disclosure or tampering cause harm to the organisation?
  3. Does it require separate ownership, access controls, and risk assessment? — Does it need a different level of protection from general business documents?

All three Yes → Register in Asset Register as Information type

Otherwise → Registration not required. It is ordinary content naturally residing in its storage location.

Registration Unit

🎯
Registration unit = logical dataset. Not a folder, file, site, or URL.

On a customs declaration form, you write "diamond necklace", not "left pocket of the suitcase". The left pocket is what you write in the "storage location" field.

Likewise, what you register in the Asset Register is the logical dataset called "Customer Data".

Registration Example:

FieldValue
Asset NameCustomer Data
Asset TypeInformation / Data
ClassificationConfidential
Owner[Responsible person]
Storage Location (Source)M365 → SharePoint → HR Portal site (cybercraft.sharepoint.com/sites/HR)
Access Path (Viewer)Power BI → HR Dashboard (read-only visualisation)
DescriptionCustomer contacts, contract history, service records, and other personally identifiable customer datasets

In this example:

Storage Location Recording Guide

📍
Principle: Access Control Boundary (mandatory) + Navigation Path (mandatory when data cannot be located otherwise)

The purpose of recording storage locations is twofold:

  1. Security purpose — "Who can access this data?" → access control boundary
  2. Operational purpose — "Where do we find this data?" → navigable path

ISO 27002:2022's requirement to "record the location of assets" encompasses both. A recorded location that cannot be used to find the data is meaningless.

Storage TypeAccess Control BoundaryNavigation Path Required?Recording Example
SharePoint (simple site)Site (site-level members and permission groups)Site = navigation unit → Not requiredM365 → SharePoint → HR Portal (cybercraft.sharepoint.com/sites/HR)
SharePoint (Teams channel-based)Site URL (general/individual channel) or separate site for Private channelsChannel folder path requiredM365 → SharePoint → CYB Team → /ChannelA/ClientData/ or Private channel: separate site URL
OneDriveUser account (default: owner-only access)Always required — account alone cannot identify dataM365 → OneDrive (Lucas) → /Projects/ClientData/
Azure BlobContainer (container-level SAS and access policies)Required if path structure is complexAzure → cybstorage01 / client-documents or → /2026/invoices/
Database (SQL, etc.)DB instance / schema (DB-level permissions)Required if many tables/schemasAzure → cyb-sql-01 / CustomerDB or → dbo.Customers
Azure Web AppApp instance (authentication and network rules)Usually a viewer — not the sourceRecord in the Access Path (Viewer) field: Azure → hr.cybercraft.net
SaaS internal storageSaaS itself (tenant-level access control)Specific area must be notedDashlane → Shared Vault or DocuSign → Completed Agreements
⚖️
A single decision criterion: "Looking only at this storage location information, can you locate the data?"

Yes → Recording the access control boundary alone is sufficient.

No → A navigation path must also be recorded (mandatory).

There is no need to memorise different rules for each storage type. This single question applies uniformly to all cases.

Distinguishing Source and Viewer

Where data is stored and where data is displayed are different:

DistinctionSourceViewer / Interface
DefinitionWhere data is actually stored and maintainedInterface for reading or visualising data
Recording FieldStorage Location (primary)Access Path (secondary)
ExamplesSharePoint List, SQL Database, Azure BlobPower BI dashboard, web app interface, Notion Linked View

Recording Rules:

Decision Examples:

ScenarioStorage Location (Source)Access Path (Viewer)
Customer data in SharePoint List, visualised via Power BIM365 → SharePoint → HR PortalPower BI → HR Dashboard
Financial data in SQL DB, queried via web appAzure → cyb-sql-01 / FinanceDBAzure → finance.cybercraft.net
Contracts in SharePoint document libraryM365 → SharePoint → Legal SiteNo separate viewer — recording unnecessary
HR files in OneDrive, shared via Teams linkM365 → OneDrive (HR Manager) → /Personnel/Teams shared link — a sharing method, not an access path. Recording unnecessary.

What Not to Register — General Data

📂
General business data (General classification) is not a registration target for information assets.

All data belongs to the organisation, but most general business data fails at questions 2 and 3 of the 3-Question test:

Only datasets classified as Confidential or Internal that require separate protection are registration targets.

Storage-Specific Application Rules — Resolving SharePoint Ambiguity

SharePoint sites appear to play different roles depending on context, but the definition is singular:

SharePoint site = A resource (storage) of the M365 Subscription. It is not an asset in itself.
If it contains data requiring protection → that data is a separate information asset.
ScenarioSharePoint SiteInformation Asset Registration?Recording Method
General team documents siteResource (L3)❌ Not requiredRecord in the M365 asset page as a site listing
Site containing customer dataResource (L3)✅ Register "Customer Data" as an Information assetMark "⚠️ Contains Confidential information asset" on M365 page + record storage location on information asset page
Site containing financial dataResource (L3)✅ Register "Financial Data" as an Information assetSame pattern
Intranet (general announcements)Resource (L3)❌ Not requiredRecord in the M365 asset page as a site listing

The same principle applies uniformly to all storage types ("if it contains data requiring protection" = when 3-Question is satisfied):

StorageParent AssetNo data requiring protectionData requiring protection present
SharePoint siteM365 SubscriptionRecord in resource listRegister as information asset separately + cross-reference
OneDriveM365 SubscriptionComponent — recording not even requiredRegister as information asset separately + cross-reference
Azure Web AppAzure SubscriptionRecord in resource listRegister as information asset separately + cross-reference
Azure Blob StorageAzure SubscriptionRecord in resource listRegister as information asset separately + cross-reference

5. Asset Type Taxonomy

The four standard types from ISO 27002:2022 Control 5.9 (see §2.2), specialised for the Cybercraft operational environment:

Asset TypeDefinitionRegistration LocationExamples
Service EnvironmentCloud service environment (tenant / org / account / workspace) that we create and controlAsset RegisterCybercraft M365 Subscription, Dashlane, AFI Backup
Identity PlatformAuthentication/identity environment that we create and controlAsset RegisterCybercraft Entra ID Tenant
Cloud InfrastructureCloud infrastructure subscription that we contract and controlAsset RegisterCybercraft Azure Subscription
DomainDomain that we purchase and registerAsset Registercybercraft.net
License / SubscriptionSubscription agreement purchased to use a service environment (intangible asset)License InventoryM365 Business Premium × 5, Dashlane Business × 6
Physical AssetPhysical equipment that we own or leaseAsset RegisterServers, network equipment, etc.
Information / DataIdentifiable information datasets that we create or hold and that require separate protection, classification, and ownership assignment. Distinguished from storage locations (SharePoint, OneDrive, etc.) — see §4.2.Asset RegisterCustomer DB, financial data, source code, HR records

Asset Type — Layer Relationship Diagram

The diagram below shows how §5 asset types connect to the layer structure (§8) and how they are distinguished from §6 components and resources.

graph TB
    subgraph L1["L1 — Asset Register"]
        TA["Technology Assets Track A<br>Service Env · Identity<br>Cloud · Domain · Physical"]
        IA["Information Assets Track B<br>Information / Data"]
    end
    subgraph L2["L2 — License Inventory"]
        LI["License / Subscription"]
    end
    subgraph L3["L3 — Asset Page Body"]
        CO["Component<br>Independent termination ✗"]
        RE["Resource<br>Instance within subscription"]
    end
    TA -->|"Usage basis"| LI
    TA -->|"Internal feature"| CO
    TA -->|"Internal instance"| RE
    RE -.->|"If containing data<br>requiring protection<br>→ Register separately via Track B"| IA

6. What Not to Register

6.1. Components

🔧
Component = A feature or service provided within an asset. Cannot be independently controlled or terminated.

6.2. Resources

🖥️
Resource = An individual service instance created within a cloud subscription. The legacy equivalent of a "server".

6.3. Distinguishing Storage and Information Assets

⚠️
Caution — Common Confusion: SharePoint sites, OneDrive, Azure Web Apps, etc. are "storage", not "information assets".

People tend to think "there's customer data in SharePoint, so the SharePoint site is an information asset." This is the same logical error as "there's cash in the safe, so the safe is cash."

Principle:

Storage = A component or resource of a technology asset. The container for data.
Information Asset = The dataset inside the container that requires protection.

These two are entirely different layers:

DistinctionStorageInformation Asset
IdentityComponent or resource of a technology assetISO 27002 Information-type asset
Registration LocationParent technology asset page body (L3)Asset Register (L1)
ExamplesSharePoint site, OneDrive, Azure Blob, S3 BucketCustomer DB, financial records, HR records, source code
Decision Question"Is this a space that holds data?""Is this a dataset requiring protection and classification?"
✈️
Analogy: Extension of the Airline Ticket Principle — Luggage (Data) vs Cargo Hold (Storage) vs Customs Declaration (Asset Registration)

The cargo hold (SharePoint, OneDrive) inside the aircraft is not the passenger's asset. All luggage in the cargo hold belongs to the passenger, but not all of it requires a customs declaration.

  • Cargo hold = storage (component). A feature included in the aircraft (service environment).
  • All luggage = the passenger's data. From ordinary clothing bags (team meeting notes, general documents) to valuable jewellery (customer data, financial data).
  • Customs declaration target (Asset Register registration) = valuable jewellery only. That is, only datasets requiring protection are registered.
  • Ordinary clothing bags (team meeting notes, internal announcements, etc.) belong to the passenger but are not customs declaration targets.
  • Even with 10 cargo holds, if there's no valuable jewellery, there's nothing to declare.
  • Cargo holds containing valuable jewellery should be marked "valuables inside."
Key Distinction: "Asset" and "Registrable Asset" are Different

All data belongs to the organisation (is an asset), but only datasets requiring protection are registered in the Asset Register. General business data (General classification) belongs to the organisation but does not require separate risk assessment, ownership assignment, or access controls, so it is not registered.

Detailed rules for information asset registration units, storage location recording criteria, and registration decisions are covered in §4.2.

6.4. DNS Mappings / Subdomains

🔗
Subdomain = A DNS record of the primary domain. Configuration managed in the domain management console.

6.5. BYOD Devices / Personal Software / Personal Hardware

📱
BYOD devices, personal software, and personal hardware = Not registration targets for the Asset Register.

Track A Application:

However, they are management targets:

Personal Software:

7. Decision Flowchart

When a new item is identified, apply the Track A (Technology Assets) or Track B (Information Assets) decision flow depending on the nature of the item:

flowchart TD
    A["New item identified"] --> T{"Nature of the item?"}
    T -- "Service, infrastructure,\nequipment, domain" --> A1
    T -- "Dataset" --> B1

    A1{"Track A Q1:<br>Did we contract, register,<br>or create it?"} -- No --> ZA["Not an asset<br>(Vendor/third-party owned)"]
    A1 -- Yes --> A2{"Track A Q2:<br>Do we control it?"}
    A2 -- No --> ZA
    A2 -- Yes --> A3{"Track A Q3:<br>Can it be independently<br>terminated?"}
    A3 -- No --> EA["Component/Resource<br>→ Asset page body (L3)"]
    A3 -- Yes --> FA{"Is it a licence agreement?"}
    FA -- Yes --> GA["License Inventory (L2)"]
    FA -- No --> HA["Asset Register (L1)"]

    B1{"Track B Q1:<br>Is it an identifiable<br>dataset?"} -- No --> ZB["Registration not required<br>General business data"]
    B1 -- Yes --> B2{"Track B Q2:<br>Does it require<br>Confidential/Internal<br>classification?"}
    B2 -- No --> ZB
    B2 -- Yes --> B3{"Track B Q3:<br>Does it require separate<br>ownership, access controls,<br>and risk assessment?"}
    B3 -- No --> ZB
    B3 -- Yes --> JB["Asset Register —<br>Information type (L1)"]

8. Layer Structure

LayerRepositoryRegistration UnitPurpose
L1 — AssetInformation Asset Register (DB)Service environment / domain / infrastructure / physical asset / information assetRisk assessment, ownership assignment, classification, controls
L2 — LicenseLicense Inventory (DB)Subscription licence / SKUCost, renewal, seat count, SSO protocol tracking
L3 — Component & ResourceAsset page body (not a DB)Features, services, instances, DNS mappingsAudit evidence, dependency documentation ("recorded and interrelated")

9. Microsoft Ecosystem Special Rules

Microsoft Cloud follows a structure where multiple independent subscriptions are linked under a single Entra ID Tenant.

9.1. Official Hierarchy (per Microsoft Learn)

Organization (Cybercraft)
├── Entra ID Tenant (1) — Common identity foundation
│     ├── User Accounts & Groups
│     └── Provides authentication/authorisation
│
├── M365 Subscription — Separate SaaS contract
│     ├── License: Business Premium × N
│     └── Services: Exchange, SharePoint, Teams...
│
├── Azure Subscription — Separate IaaS/PaaS contract
│     ├── Billing: Pay-as-you-go / Free tier
│     └── Resources: Static Web Apps, VMs...
│
└── (Additional subscriptions possible, e.g. Dynamics 365)

9.2. Asset Registration Rules

ItemAsset?Registration LocationRationale
Entra ID Tenant✅ AssetAsset RegisterIdentity environment we created and control. Termination affects all subscriptions.
M365 Subscription✅ AssetAsset RegisterSeparate SaaS contract. Terminating M365 does not affect Azure.
Azure Subscription✅ AssetAsset RegisterSeparate IaaS/PaaS contract. Terminating Azure does not affect M365.
M365 Business Premium (licence)✅ Intangible assetLicense InventorySubscription licence. Requires cost, renewal, and seat management.
Exchange Online, SharePoint, Teams, etc.❌ ComponentM365 asset page bodyServices within M365 Subscription. Cannot be independently terminated.
Entra ID, Intune, Defender, etc.❌ ComponentM365 asset page bodyServices included in M365/Azure subscriptions.
Azure Static Web Apps (incl. free tier)❌ ResourceAzure asset page bodyInstance within Azure Subscription. Free/paid irrelevant.

9.3. Component ↔ Licence Mapping

M365 provides different features per licence tier. This mapping is documented as a Component — License Mapping table in the M365 asset page body.

10. Domain and Website Rules

ItemAsset?Registration LocationRationale
cybercraft.net (primary domain)✅ AssetAsset RegisterPurchased and registered at a domain registrar. We control it.
it-doc.cybercraft.net (subdomain)❌ ConfigurationDomain asset page bodyDNS CNAME record of the primary domain.
Azure Static Web App instance (it-doc hosting)❌ ResourceAzure asset page bodyInstance within Azure Subscription.

Cross-referencing mandatory:

11. SaaS General Rules

The same principle applies to all SaaS products:

☁️
SaaS Asset = The Organisation / Account / Workspace that Cybercraft creates and controls within the product

Register in the Asset Register under the product name; this document defines that the meaning is "the service environment of that product controlled by Cybercraft." No need to prefix "Cybercraft" to individual asset names.

Decision CriterionYes → AssetNo → Not an asset
Do we have an Organisation/Account?Dashlane, AFI Backup, Splashtop
Do we manage users and settings?DocuSign, Apple Business Manager
Is it for personal use only?Notion (personal), GitHub (personal)

12. Asset Page Body — L3 Documentation Guide

Content to document in the page body per asset type:

Service Environment (SaaS)

Identity Platform

Cloud Infrastructure

Domain

Information / Data

Content to document in the information asset page body:

Information Asset Storage Location ↔ Technology Asset Cross-Reference Rules

When an information asset is stored in a resource of a technology asset, cross-references must be recorded on both sides:

Technology Asset page (M365, Azure, etc.) → In the resource list:

Information Asset page → In the storage location:

🔗
Why Cross-Referencing is Necessary

Technology asset owners need to know "Does the service I manage contain data requiring protection?" and information asset owners need to know "Where is the data I protect stored?" Without this bidirectional visibility, protection gaps will occur.

13. Related Documents

DocumentRelationship
Asset Management & Information Classification Policy (ISMS-POL-ASM-01)Parent policy. The asset identification criteria in this standard definition function as a subordinate standard to this policy.
Information Asset Register (DB)L1 asset repository. Assets are registered according to the criteria in this document.
License Inventory (DB)L2 licence repository. Licence assets are registered according to the criteria in this document.
Risk Assessment Methodology (ISMS-RM-RAM-01)Uses the asset classification from this document as input for asset-based risk assessment.
BYOD Security Policy (ISMS-POL-BYOD-01)BYOD device security policy. Reference for BYOD scope exclusion rationale in §3/§6.5.
Device Lifecycle Procedure (ISMS-PROC-BYOD-01)BYOD device lifecycle procedure. §6 quarterly device inventory review.
Application & Data Governance Policy (ISMS-POL-ADG-01)App/data governance policy. Unauthorised app and Shadow IT management. See §6.5.

Appendix A. Glossary

TermISO 27002:2022 MappingDefinition
Asset"information and other associated assets" (A.5.9)General term for items registered in the Asset Register. Encompasses both Technology Assets (Track A) and Information Assets (Track B). See §4.
Technology Asset"other associated assets" (A.5.9) — covers Software, Physical, Services typesA service environment, infrastructure, physical equipment, or domain that the organisation contracts, registers, or creates and over which it holds control. Determined by the Track A 3-Question test. See §4.1.
Information Asset"information" (A.5.9) — Information typeAn identifiable dataset that requires protection, classification, and ownership assignment. Determined by the Track B 3-Question test. See §4.2.
Component"components that sustain technology assets" (5.9 Implementation Guidance)A feature or service provided within an asset. Cannot be independently terminated or controlled.
ResourceNo direct ISO mapping — a cloud instance sub-concept of Component (Cybercraft-defined)An individual service instance created within a cloud subscription (legacy equivalent: "server")
LicenseNo direct ISO mapping — intangible asset under the Software categoryA subscription agreement purchased to use a service. Intangible asset.
TenantNo direct ISO mapping — an organisational unit instance under the Services typeA dedicated instance allocated per organisation in a cloud service (Entra ID Tenant, M365 Tenant, etc.)
SubscriptionNo direct ISO mapping — a contract unit under the Services typeA contract unit for using services/resources in Microsoft Cloud. Can be independently billed and terminated.
Organisation / Account / WorkspaceNo direct ISO mapping — synonymous with Tenant (product-specific naming)A management environment created per organisation in a SaaS product (same concept as Tenant; naming varies by product)
📋
Derived Data Exclusion Decision (v0.2.12)

ISO 27017:2015 addresses ownership and management responsibilities for "derived data" (logs, metadata, usage statistics, and other data generated during service operation) in cloud environments. Based on the §5 gap analysis, it was determined that derived data does not need to be classified as a separate asset type in Cybercraft's current operational environment.

  • Rationale: Cybercraft does not currently provide cloud services directly (i.e., no CSP role) and does not have a business model of generating or selling derived data from customer data.
  • Current coverage: Logs and audit trails generated during cloud service usage fall under security monitoring, not asset identification.
  • Future review trigger: If Cybercraft assumes a CSP role or provides derived services based on customer data, this decision will be reviewed against ISO 27017 criteria.

Appendix B. Decision Examples

Track A — Technology Asset Decision Examples

ItemQ1: Contract, register, create?Q2: Control?Q3: Independent termination?Conclusion
Cybercraft Entra ID Tenant✅ Created✅ Manage users/settings✅ PossibleAsset → Asset Register
M365 Business Premium × 5✅ Purchased✅ Manage assignment✅ PossibleLicence asset → License Inventory
Exchange Online (within M365)❌ Included△ Configurable but M365-dependent❌ Cannot be independently terminatedComponent → M365 page body
Azure Static Web Apps❌ Created within Azure subscription△ Manageable but Azure-dependent❌ Cannot exist without AzureResource → Azure page body
cybercraft.net✅ Purchased✅ DNS management✅ PossibleAsset → Asset Register
it-doc.cybercraft.net❌ DNS record△ Record management❌ Domain-dependentConfiguration → Domain page body
Notion (personal)✅ Registered✅ Managed✅ PossiblePersonal asset → Outside Cybercraft scope
Figma (hypothetical: company account)✅ Org created✅ Manage users/settings✅ PossibleAsset → Asset Register
SharePoint team site❌ Created within M365△ Site management possible❌ M365-dependentResource → M365 page body
OneDrive folder❌ Configuration within service△ Folder management❌ OneDrive-dependentConfiguration — recording not even required
Azure Web App instance URL❌ Created within Azure△ Instance management❌ Azure-dependentResource → Azure page body

Track B — Information Asset Decision Examples

ItemQ1: Identifiable?Q2: Confidential/Internal classification?Q3: Separate protection?Conclusion
Customer Data✅ Identifiable as "Customer Data"✅ Confidential✅ Requires access controls and risk assessmentInformation asset → Asset Register (Confidential)
Financial Data✅ Identifiable as "Financial Data"✅ Confidential✅ Requires access controls and risk assessmentInformation asset → Asset Register (Confidential)
HR Records✅ Identifiable as "HR Records"✅ Confidential✅ Requires access controls and risk assessmentInformation asset → Asset Register (Confidential)
Source Code✅ Identifiable as "Source Code"✅ Internal✅ Requires access controls and risk assessmentInformation asset → Asset Register (Internal)
General business documents (team meeting notes, announcements, etc.)✅ Identifiable❌ General — minimal harm from disclosure❌ Separate protection not requiredRegistration not required — natural content of storage
Test/dummy data✅ Identifiable❌ Not actual data — no harm from disclosure❌ Separate protection not requiredRegistration not required
Public website content✅ Identifiable❌ General — already public❌ Separate protection not requiredRegistration not required
🔗
Cross-Track Example — SharePoint Site Containing Customer Data
  • Track A: The SharePoint site itself → A resource of M365 (L3). Cannot be independently terminated → Not an asset.
  • Track B: "Customer Data" stored in that site → Identifiable + Confidential + Requires separate protection → Register as an Information asset.
  • Recording method: Mark "⚠️ Contains Confidential information asset" on the M365 asset page + record storage location on the information asset page (see §4.2).

The two tracks assess the same item from different perspectives. Not confusing storage (Track A) with data (Track B) is the key.

Change History

VersionDateAuthorChanges
0.1.02026-02-25Security DirectorInitial draft. Asset identification principles, type taxonomy, decision flow, Microsoft/SaaS/domain rules defined.
0.1.12026-02-25Security DirectorAdded ISO 27002:2022 normative references, standard asset type mapping, implementation guidance citations, owner responsibilities, classification requirements, related documents.
0.1.22026-02-25Security DirectorEnhanced §5 Information/Data definition, added §6.4 storage vs information asset distinction (SharePoint/OneDrive/Web App definitions, airline ticket analogy extension), §12 cross-reference rules, Appendix B with 7 additional examples.
0.1.32026-02-25Security DirectorRefined §5 airline ticket analogy ("asset" vs "registrable asset" distinction), added §6.4 registration unit definition (logical dataset ≠ folder/path), added dummy/test data rules.
0.2.02026-02-25Security DirectorRewrote §6.4 registration unit (customs declaration analogy, registration example table), new storage location recording criteria (access control boundary principle, per-storage-type recording levels), new source/viewer distinction rules, expanded dummy data rules to general data rules.
0.2.12026-02-25Security DirectorReformulated storage location recording criteria: unified under dual-purpose principle of access control boundary (security) + navigation path (operational). Replaced per-storage-type rules with single decision question ("Can the data be found using only this information?"). Added SharePoint Teams channel scenario. Made OneDrive navigation path mandatory.
0.2.22026-02-25Security DirectorFixed §2.2 Software asset type examples: separated attributes (version, licence expiry) from examples → moved to separate "Inventory Record Items" paragraph. Replaced with actual Software asset type examples (OS, business applications, development tools, middleware).
0.2.32026-02-25Security DirectorClarified §2.3 owner responsibility scope: added scope note (callout) that "assets" includes both registered and to-be-registered assets.
0.2.42026-02-25Security DirectorIntroduced §4 two-track structure: Track A (Technology Asset 3-Question: contract? control? terminate?) and Track B (Information Asset 3-Question: identifiable? classify? protect?) separated into §4.1/§4.2. Stated track independence principle. Moved §5 cargo analogy and key distinction callouts to §6.4 (storage vs information asset). Changed §6.4 information asset registration criteria to §4.2 reference to eliminate duplication.
0.2.52026-02-25Security DirectorNew §3.1 Key Terms — defined terms prior to §4 entry (Technology Asset, Information Asset, License, Component, Resource). Added Track A/B independence summary callout. Added §5 asset type–layer relationship diagram (mermaid) — visualising structural connection between §5 (asset types) → §6 (non-assets) → §8 (layers).
0.2.62026-02-25Security DirectorUnified section numbering: §6 subsections (5.1→6.1, 5.2→6.2, 6.4→6.3, 6.5→6.4), §9 subsections (8.1→9.1, 8.2→9.2, 8.3→9.3). Fixed §2.2 callout reference §4→§5. Replaced §7 decision flow mermaid with two-track structure (Track A technology + Track B information). Batch-updated cross-references (§6.4→§6.3).
0.2.72026-02-25Security DirectorMoved §6.3 Track B detailed guides (registration unit, storage location recording, source/viewer, general data, storage-specific rules) to §4.2 subsections. §6.3 retains only principles, analogies, and §4.2 reference.
0.2.82026-02-25Security DirectorRenamed §6: "What Is Not an Asset — Components and Resources" → "What Not to Register". Added change history entry.
0.2.92026-02-25Security DirectorSplit Appendix B into two tracks: Track A (Technology Asset) table and Track B (Information Asset) table. Changed Q1 column header "contract, register?" → "contract, register, create?". Added 7 Track B examples (customer data, financial data, HR records, source code, general business documents, test/dummy data, public website content). Added cross-track (SharePoint + customer data) callout. Removed former mixed rows (SharePoint with customer data, customer data dataset, general business documents).
0.2.102026-02-25Security DirectorRevised Appendix A glossary: rewrote "Asset" definition to encompass both tracks (previously Track A-centric → now Track A+B inclusive). Added "Technology Asset" and "Information Asset" terms. Completed v0.2.7–v0.2.10 change history.
0.2.112026-02-25Security DirectorAdded §2.2 CIS Controls v8.1 discovery structure callout — CIS 3-Control is a discovery entry point; equivalent coverage with different methodology to Cybercraft Track A/B. Added §3 BYOD/personal device/software scope exclusion callout. New §4.1 Asset Discovery Methodology subsection — contract-based discovery principle, Admin Consent Workflow = SaaS discovery channel, rationale for no separate Discovery procedure. New §6.5 BYOD devices/personal software/hardware — Track A application, management purpose, inventory source (Intune/Entra ID). Added 3 related documents to §13 (BYOD Policy, Device Lifecycle Procedure, ADG Policy).
0.2.122026-02-25Security DirectorConverted Appendix A glossary table to 3-column structure — added ISO 27002:2022 mapping column with ISO standard mapping for all 9 terms. Added Derived Data exclusion decision callout at bottom of Appendix A — ISO 27017 derived data not applicable at present; review trigger specified for CSP role assumption.