The current asset and information classification system is based solely on confidentiality. There is no classification of assets with respect to their availability and integrity requirements.

Why This Is a Problem

Relying only on confidentiality results in an incomplete protection needs assessment. Assets with high availability or integrity requirements may not receive adequate protection, which can negatively impact:

the effectiveness of implemented security controls,

risk identification and prioritization,

alignment with ISO/IEC 27001 requirements.

-> causing a nonconformity during the audit

Proposed Feature

Extend the asset classification framework to include availability and integrity dimensions, in addition to confidentiality.

For each asset, users should be able to define protection needs across all three CIA dimensions.