According to the ISO/IEC1 27002 directive of 2005 - Information Technology - Security techniques - Code of practice for information security management, information is an important organisational asset worth protecting. Furthermore, supporting processes, systems and networks are essential assets of the organisation. In the ever increasingly networked business environment, these assets need be protected from a wide range of threats to ensure business continuity and to maintain a competitive in business edge.
In a nutshell, all assets of an organisation (physical and non-physical) can be represented as information. Thus, protecting information assets is protecting the entire organisation from security threats. The Common Criteria, like ISO/IEC 27002, positions protection of organisation’s assets as the central focus of information security. Figure 1 illustrates this positioning and relationship of assets and asset owner with security threats, security protection (in Figure 1 is referred as countermeasures) and security risks.
Security concepts and relationships (CC-1, 2009)