In Clause 8.3, the DIS of ISO21434 allows to enumerate the relevant assets with a variety of methods. As examples, it suggests to enumerate them by their impact rating, or threat scenarios, or even using predefined catalogues.
Notably, ISO21434 includes the Damage Scenarios as a result of the Asset Identification. As a result, in our figure above between Asset Identification, Threat Scenario Identification and Damage Scenario Identification; the arrows can actually go in various ways, depending on the applied method.
In the YAKINDU Security Analyst Team, we observe the asset identification based on enumerating all system elements per security property (e.g. C, I, A) is a common path during conception. The Asset Identification Assistant will also allow to create or reference Damage Scenarios immediately during identification. Nonetheless, in later development stages, it seems more common to be driven by threat scenarios and then generate damage scenarios and assets for each feasible threat scenario to assess its risk.
Want to discuss about how to identify relevant Assets according to ISO 21434 further? Feel free to contact the YSEC Team. Otherwise, read more on our insights from reading ISO21434.