Inventorization of assets

The Primary Asset Page is designed to help organizations distinguish between Primary Assets (business processes and information assets) and Supporting Assets (software, hardware, locations, people). This approach aligns with ISO 27001:2022, which emphasizes information as a critical asset and links it to infrastructure for better risk assessment and compliance.

Understanding Primary vs. Supporting Assets

 

  • Primary Assets: Core business processes and information assets that require protection, such as customer data, financial records, intellectual property, HR data, and operational workflows. These are business-critical and require security measures aligned with their classification.
  • Supporting Assets: The infrastructure that enables or processes Primary Assets. This includes software, databases, devices, cloud services, and even physical locations.

By linking Primary Assets to Supporting Assets, users can now see how risks impact business processes and ensure appropriate security controls are in place.

Discovering and Adding Primary Assets automatically

Kertos can automatically suggest the most relevant Primary Assets based on the active tools listed in your Data Sources tab. This eliminates manual classification and ensures that all critical business processes and information assets are captured effortlessly.

1. Supporting Assets (Systems) are Activated

  • When a new system (e.g., HubSpot, Salesforce, AWS, Notion, Stripe) is added and listed under Active Data Sources, the system automatically detects it.

2. Primary Assets are Suggested

  • Based on the detected system, the most relevant Primary Assets are suggested and listed in the Discovered Tab of the Primary Asset Page.
  • Example: If HubSpot is an active data source, the system will suggest Lead Scoring and CRM Data as relevant Primary Assets.

3. You can now review & activate suggested assets

  • Suggested Primary Assets appear in the Discovered Tab for user review.
  • You can move discovered assets to Active with one click—ensuring that the asset inventory stays complete without unnecessary manual effort.

If a Primary Asset was not discovered through a Cloud Scan, you can add it manually (see below).

 

Adding Primary Assets manually

 

 

1. Navigate to the "assets" section

2. Fill out the necessary information 

 

Providing the necessary information

 

 

Required:

  • Asset Name: The name of the asset.
  • Asset ID: A unique identifier for tracking the asset.

Optional:

  • Owner: The responsible person for the asset.
  • Department: The business unit that utilizes or owns the asset.
  • Description: Any additional information relevant to the asset.
  • Classification: The importance of the asset based on the CIA triad (Confidentiality, Integrity, Availability).
  • Linked Supporting Assets: Displays all associated supporting assets (e.g., databases, software, cloud services) that process or store this Primary Asset.
  • Linked Risks: Shows all identified risks related to the Primary Asset, ensuring visibility into potential vulnerabilities and their impact on business processes.

 

Assessing the Classification of an Asset

 

 

You can evaluate the Classification of a Primary Asset at the time of creation or by modifying an existing one.

1. In the detail view of the asset, scroll down to “Criticality”.

2. Provide ratings for each CIA component on a 1-4 scale, as explained in the interface.

3. The Classification Level will be automatically calculated.

4. Click Save to finalize the changes.

 

Linking Supporting Assets

To ensure a comprehensive asset inventory, Supporting Assets (e.g., software, databases, cloud services) should be linked to Primary Assets (e.g., business processes, information assets). This helps contextualize where critical information is processed and stored.

 

1. Open the primary asset you want to add supporting assets to.

 

 

2. Locate the "Linked Supporting Assets" section

3. Select the "other assets"

4. Click ‘+ Link Assets’.

5. Select an asset from the suggested list or search for an asset in the system.

6. Click Save to confirm the connection.

7. Review Linked Assets

Once linked, the Supporting Asset appears in the table, displaying:

  • Criticality Level (Low, Medium, High)
  • Last Login (if applicable)
  • Owner
  • Category (e.g., Software, Cloud Service, Finance Tool)

 

Linking Risks to Primary Assets

To ensure a comprehensive risk assessment, it’s essential to link supporting risks to Primary Assets. This process allows users to understand the potential impact of risks on business-critical processes and ensure that appropriate security controls are in place.

 

1. Open an existing Primary Asset (e.g., "Lead Scoring and Qualification").

2. Locate the ‘Linked Risks’ Section

3. Click ‘+ Link Risks’.

4. Select a risk from the suggested list or search for an existing risk in the system.

5. Click Save to confirm the connection.

6. Review Linked Risks:

Once linked, the Risk will appear in the table, displaying the Risk Level (Low, Medium, High)

 

Best Practices for Managing Primary Assets

Ensure completeness: Always provide Owners and Departments for clear accountability.

Link risks and controls: Assess asset criticality to inform Risk Management decisions.

Maintain consistency: Use structured naming conventions for better traceability.

 

Grouping assets together

Managing supporting assets efficiently is crucial for compliance and operational efficiency.

 

 

The Supporting Asset Groups feature enables you to create groups for better asset management within the Supporting Assets Table. At the top of the table, you can see category tags such as Business Devices, C-Level Devices, and Tech-Devices for easy organization.

 

 

1. Clicking on a Supporting Asset Group will automatically select all listed assets within that group. 

2. You can then perform several bulk actions, including deleting, archiving, adding assets to another group, editing classifications, ungrouping, or renaming the group.

3. You can now group hardware assets within the Supporting Asset Table under different subcategories (e.g., Computers, Smartphones). This feature enables two key bulk operations:

 

Bulk Classification Assignment

You can assign a classification to an entire asset group at once, ensuring consistency and reducing manual effort.
Clicking on Edit Classification will open a window where you can evaluate and update the classification level for the selected assets.

 

Bulk Linking to Primary Assets

 

 

1. To link a group of supporting assets to a primary asset, follow the same steps from linking supporting assets as described above.

2. Select an entire asset group instead of a singular asset

 

FAQs

What are Assets?

Assets in the context of information security are resources that have value to an organization. These can include physical assets like computers and servers, as well as intangible assets such as data, software, processes and intellectual property.

What do I need to do in the ‘assets’ section?

Your job is it to keep the asset section up-to-date, make sure that the necessary information of the individual assets are documented and reflect changes that occur. This is the basis for a compliant risk management.

What do I need to do with discovered assets?

You need to assess whether they are actually relevant to your organization (if not, move them to the Archive) and then you can move them to active and provide the detail information for each of them.

Which information fields for assets are mandatory?

This depends on the type of asset that you are looking at. The absolutely mandatory fields are marked with “*”. Beyond that, it is always mandatory to assign an owner and a holder if applicable, if holder and the owner are the same people it is not mandatory to assign a holder to an asset. For more detailed guidance, please refer to our help center.

Which assets do I have to add to the asset inventory?

You should add all assets that are relevant to your company and that have potential risks attached to them

Does a "holder" make sense for a infrastructure asset?

Holder entries are not mandatory. Holder in the case of assets mean that the owner and the user of that asset are different individuals. For example HR Lead can be the owner of a process asset but the process can be carried out by a personnel underneath them.

What is the implication of the CIA assessment in the asset section?

The CIA assessment is there to determine a confidentiality, integrity and availability levels for the asset, which is required by various different ISMS standards.

How do I know that I have all assets?

Our discovery integrations for cloud infrastructure and mobile device management will detect a lot of assets for you, but you have the ultimate responsibility of making sure that all important assets are documented in Kertos. You can use our asset categories on the asset page for orientation.

Was this article helpful?