How to identify relevant Assets according to ISO 21434?

In Clause 8.3, the DIS of ISO21434 allows to enumerate the relevant assets with a variety of methods. As examples, it suggests to enumerate them by their impact rating, or threat scenarios, or even using predefined catalogues.

From item definition to risk determination

Notably, ISO21434 includes the Damage Scenarios as a result of the Asset Identification. As a result, in our figure above between Asset Identification, Threat Scenario Identification and Damage Scenario Identification; the arrows can actually go in various ways, depending on the applied method.

In the YAKINDU Security Analyst is now itemis SECURE Team, we observe the asset identification based on enumerating all system elements per security property (e.g. C, I, A) is a common path during conception. The Asset Identification Assistant will also allow to create or reference Damage Scenarios immediately during identification. Nonetheless, in later development stages, it seems more common to be driven by threat scenarios and then generate damage scenarios and assets for each feasible threat scenario to assess its risk.

What now?

Want to discuss about how to identify relevant Assets according to ISO 21434 further? Feel free to contact the itemis SECURE Team. Otherwise, read more on our insights from reading ISO21434.