Information asset

by John Bandler

An information asset is something a person or organization has that relates to information, information systems, and technology.

I think of the term broadly, and also in terms of the Four Pillars of Cybersecurity, so let's start simple:

  • People Bandlers Four Pillars of Cybersecurity
  • Devices
  • Data
  • Networks

Now lets work some more detail into each of those terms.

  • People (yes, I know people are not property but they are important assets of an organization and the most important part of cybersecurity. We need to manage who has access to what, provide them with the knowledge and the ability to make good decisions, etc.)
  • Devices (computer devices, like servers, desktops, laptops, tablets, smartphones, networking devices, etc.)
  • Data and online accounts and applications (data stored, data categories, data places, online accounts of all types, applications, and even service accounts with service providers)
  • Networks and internet usage (and also communications tools, service accounts)

Do we really need to define this term?

Yes, because it is important to know what it means, and because organizations are going to want to do an information asset inventory.

People and organizations are using accounts, applications, and systems that they may not even be fully aware of -- until it is too late.

If organizations are trying to improve the way they manage their information assets (e.g., information governance) then they need to assess what their information assets are. Then they can work on evaluating whether they are running things efficiently, securing them properly, and more.

What's next?

Organizations should do an information asset inventory, to a reasonable degree, and improve upon it periodically.

What could go wrong?

Imagine all the bad things that could happen to an organization that doesn't manage information assets well:

  • Accounts forgotten about, lose access, compromised by an attacker
  • Data breach
  • Ransomware
  • Theft
  • Inefficiency
  • Using multiple accounts or software providers for the same service
  • Forget data is being stored in a particular location or application
  • Forget to pay the phone bill, lose the company phone number
  • Forget to pay the internet bill, lose internet access

What could go right or be improved?

Almost everything.

The better you manage and identify all of your information assets, the better you can use them.

An asset is not useful if you don't remember you have it.

There is waste and inefficiency if you have duplicate assets or cannot find them or properly harness them.

What is an information system?

An information system is a group of information assets, working together. That's a simple definition.

Obviously, as you think about individual information assets, you realize they work with other information assets, and almost never are in isolation. So things can get complex. But before you get overwhelmed with complexities, start simple, with the individual information assets.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


Information assets are essential, your organization should consider an inventory of them! See that article below.

If your organization needs help with improving its cybersecurity, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 11/21/2023, updated 11/29/2023.