This is a guidance box.

Remove all guidance boxes

after filling out the template. Items highlighted in
turquoise should be edited appropriately. Items
highlighted in green are examples and should be
removed. After all edits have been made, all
highlights should be cleared.

Insert entity logo by clicking on the

outlined image.

Asset Classification Standard

Template

Replace <organization name> with the

name of the organization for the entire
Choose Classification document. To do so, perform the following:
● Press “Ctrl” + “H” keys
DATE Click here to add date simultaneously.
● Enter “<organization name>” in
VERSION Click here to add text the Find text box.
REF Click here to add text ● Enter your organization’s full
name in the “Replace” text box.
● Click “More”, and make sure
“Match case” is ticked.
● Click “Replace All”.
● Close the dialog box.
Asset Classification Standard Template

Disclaimer
This template has been developed by the National Cybersecurity
Authority (NCA) as an illustrative example that can be used by organizations as
a reference and guide. This template must be customized and aligned with the
<organization name>’s business and relevant legislative and regulatory
requirements. This template must be approved by the head of the organization
(Authorizing official) or his/her delegate. The NCA is not responsible for any use
of this template as is, and it affirms that this template is solely an illustrative
example.

Choose Classification

VERSION <1.0>

1
Asset Classification Standard Template

Document Approval
Role Job Title Name Date Signature

<Insert individual’s Click here to add <Insert

Choose Role <Insert job title>
full personnel name> date signature>

Version Control
Version Date Updated By Version Details

<Insert version Click here to add <Insert individual’s full <Insert description of the
number> date personnel name> version>

Review Table
Periodical Review Rate Last Review Date Upcoming Review Date

<Once a year> Click here to add date Click here to add date

Choose Classification

VERSION <1.0>

2
Asset Classification Standard Template

Table of Contents
Purpose ............................................................................................................. 4
Scope ................................................................................................................ 4
Standards .......................................................................................................... 4
Roles and Responsibilities .............................................................................. 10
Update and Review ......................................................................................... 10
Compliance ..................................................................................................... 10
Appendix ......................................................................................................... 11

Choose Classification

VERSION <1.0>

3
Asset Classification Standard Template

Purpose
This standard aims to define the detailed cybersecurity requirements
related to the asset classification of <organization name>'s systems, data and
information to minimize cybersecurity risks resulting from internal and external
threats at <organization's name> in order to preserve confidentiality, integrity
and availability.
The requirements in this standard are aligned with the cybersecurity
requirements issued by the National Cybersecurity Authority (NCA) in addition
to other related cybersecurity legal and regulatory requirements.

Scope
This standard covers all assets (e.g., physical, data, business application,
software and technology assets) in the <organization name> and applies to all
personnel (employees and contractors) in the <organization name>.

Standards
1 Asset classification

To classify all assets owned and managed by the

Objective
<organization name>.

The lack of development and implementation of asset

classification in <organization name>, will fail to protect assets
Risk
by using improper protective measures, controls or handling
Implication
critical assets incorrectly which may lead to exposure or
breach.

Requirements

All assets owned and managed by <organization name> must

1-1
be classified.

Physical assets (e.g., network connection devices, IDS/IPS,

1-2 storage assets and critical systems’ peripherals) must be
classified by reference to the highest classification of the

Choose Classification

VERSION <1.0>

4
Asset Classification Standard Template

information input, processed, stored or transmitted on the

physical asset.

Business application and software assets must be classified

by reference to the highest classification of the information
1-3
input, processed, stored, transmitted or deleted by users of
the application or software.

Third party and suppliers must be classified by reference to

1-4 the highest classification of the information input, processed,
stored, transmitted or deleted by the third party or supplier.

Any asset (information, physical, business application,

software and third party and supplier) that inputs, processes,
1-5 stores, transmits or deletes personal and/or sensitive
information must be classified as “Critical”, “High”, “Moderate”,
“Low” in addition to any other classification required.

2 Physical asset labelling

Objective To label all physical assets owned by the organization

Unlabeled assets can be difficult to track, monitor or return to

<organization name>. An unlabeled asset may not be
Risk included in an asset register, which can lead to the asset not
Implication being updated or maintained in the appropriate manner.
Unlabeled physical assets may be handled incorrectly, which
may result in damage, theft or loss.

Requirements

All physical assets owned by the organization must have a

2-1
tamper-proof label attached.

The tamper proof label must show the unique identifier

2-2 assigned to the asset in the asset register as a number, bar
code or QR code.

2-3 The tamper proof label must contain a contact number.

Choose Classification

VERSION <1.0>

5
Asset Classification Standard Template

The tamper proof label must not contain <organization

2-4 name>, <organization name> logo or other identifying marks
or texts.

3 Physical asset handling

Objective To protect assets by handling them in a secure manner.

Improper or careless handling of physical assets can lead to

damage, loss or theft of the asset and any information stored
Risk
or accessible on the device. Depending on the asset and
implication
information, <organization name> may be exposed to legal or
regulatory investigations and penalties.

Requirements

Physical assets (excluding assets recognized as mobile

3-1
devices) must not be removed from their designated location.

Approval must be obtained from the asset owner if a physical

3-2
asset is to be removed from its designated location.

Storage media, such as hard disk drives, that has been used
to store classified information classified as “Top Secret”,
3-3 “Secret”, “Confidential” must be securely erased using a
published erasure method such that data cannot be retrieved
(e.g., NIST SP800-88 Rev.1).

Storage, such as hard disk drives, that has been used to store
classified information classified as classified information
classified as “Top Secret”, “Secret”, “Confidential” must be
3-4
physically destroyed (e.g. by shredding to Deutsches Institut
für Normung (DIN) 66399 standard as O-5 and H-5 or
incineration).

4 Mobile device physical asset handling

To protect mobile devices by handling them in a secure

Objective
manner

Choose Classification

VERSION <1.0>

6
Asset Classification Standard Template

Improper or careless handling of mobile assets can lead to

damage, loss or theft of the asset and any information stored
Risk
or accessible on the device. Depending on the asset and
implication
information, <organization name> may be exposed to legal or
regulatory investigations and penalties.

Requirements

Users of mobile devices (such as laptops, mobile phones and

portable storage devices) that may input, process, store,
transmit or delete classified data must be trained at least once
4-1
a year in the secure handling of the devices and data. The
users must acknowledge they have received and completed
the training.

Mobile devices must be returned to a central location for

4-2
disposal.

Storage, such as hard disk drives, in mobile devices that have

been used to store classified information classified as “Top
Secret”, “Secret”, “Confidential” must be securely erased
4-3
using a published erasure method such that data cannot be
retrieved following decommissioning (e.g. NIST SP800-88
Rev.1).

Storage, such as hard disk drives, in mobile devices that have

been used to store classified information classified as “Top
4-4 Secret”, “Secret”, “Confidential” must be physically destroyed
following decommissioning (e.g., by shredding to DIN 66399
standard O-5 and H-5 or incineration).

Portable storage devices that have been used to store

classified information must be physically destroyed following
4-5
decommissioning (e.g., by shredding to DIN 66399 standard
O-5 and H-5 or incineration).

5 Information asset labelling

Objective To label information assets with their classification

Choose Classification

VERSION <1.0>

7
Asset Classification Standard Template

Risk Unlabeled information assets will not be handled correctly,

raising the likelihood of exposure or breach.
implication

Requirements

Classified information assets in digital format (files, databases

or emails) must be labelled electronically (e.g. by using
5-1
headers and footers in documents, file naming conventions,
or digital signatures).

Classified information assets in physical format (papers, hard

copies, contracts, etc.) must be labelled using a tamper
5-2
evident mechanism such as rubber ink stamps, adhesive
labels and hologram lamination.

Classified information printed out in hard copy format from a

business application or software must have the relevant
5-3
classification applied before printing (according to the
<organization name>’s Data Classification Policy).

6 Information asset handling

Objective To handle information assets in a secure manner

Improper or careless handling of information assets may lead
Risk to exposure or a breach. Depending on the information
implication exposed or breached, <organization name> may be exposed
to legal or regulatory investigations and penalties.

Requirements

Classified information assets in digital format must be

6-1
encrypted during storage and transmission.

Electronic data or file transfers must be carried using an

6-2 approved, secure, file transfer system (not email or other
messaging application).

Data or files containing classified information must be

6-3 transferred using a secure communication media, such as
email over VPN or SFTP.
Choose Classification

VERSION <1.0>

8
Asset Classification Standard Template

File transfer systems must require the use of a UserID. The

6-4 file transfer system must log UserID, file transferred, date and
time at a minimum.

File transfer system logs must be reviewed once a month by

6-5
the Business Application Owner.

Classified information assets in physical format (papers, hard

copies, contracts, etc.) must be protected by appropriate
6-6
means at all times, such as being locked away when not in
use and placed in envelopes when being transported.

Classified information assets in physical format must be

6-7 locked away at the end of each working day, or if the desk is
to be left unattended for longer than an hour.

Information assets classified as “Confidential” or below in

physical format can be taken off <organization name>
premises in a secure manner (e.g., placing the papers in a
6-8
double envelope; ensuring no <organization name>
identifiers can be seen; and placing the papers in a briefcase,
laptop bag or hand luggage).

Information assets classified as “Confidential” or above in

6-9 physical format cannot be taken off <organization name>
premises.

Classified information assets in physical format sent to third

parties or suppliers must be sent in a secure manner (e.g.,
6-10 placing the papers in a double envelope; ensuring no
<organization name> identifiers can be seen; and placing the
papers in a tamper-proof or tamper-evident package).

Classified information assets in physical format sent to third

parties or suppliers must be sent using a courier or tracked
6-11
mail method. The recipient must sign to acknowledge
delivery.

Choose Classification

VERSION <1.0>

9
Asset Classification Standard Template

Classified information assets in physical format must be

securely destroyed by shredding —e.g., using a cross-cut
6-12
shredder meeting DIN 66399 standard as P-4 or higher (such
as P-5 or P-6).

Information assets in physical format classified as “Top

6-13 Secret”, “Secret” must not be taken off <organization name>
premises.

Information assets in physical format classified as “Top

Secret”, “Secret”, “Confidential” must be securely destroyed
6-14
by shredding (e.g., using a cross-cut shredder meeting DIN
66399 standard P-5 or P-6).

Roles and Responsibilities

1- Standard Owner: <head of the cybersecurity function>
2- Standard Review and Update: <cybersecurity function>
3- Standard Implementation and Execution: <information technology
function>
4- Standard Compliance Measurement: <cybersecurity function>

Update and Review

<cybersecurity function> must review the standard at least once a year
or in case any changes happen to the policy or the regulatory procedures in
<organization name> or the relevant regulatory requirements.

Compliance
1- The <head of the cybersecurity function> will ensure compliance of
<organization name> with this standard on a regular basis.
2- All personnel at <organization name> must comply with this standard.
3- Any violation of this standard may be subject to disciplinary action
according to <organization name>’s procedures.
Choose Classification

VERSION <1.0>

10
Asset Classification Standard Template

Appendix
A- Asset Classification Levels

Classification
Description
Level

<Asset is classified as “Critical”, if unauthorized access or misuse

Critical cause severe and exceptionally effects to the organization in a way
that is difficult to resolve>
<Asset is classified as “High”, if unauthorized access or misuse causes
High significant effects to the organization>
<Asset is classified as “Moderate”, if unauthorized access or misuse
Moderate causes moderate effects to the organization>
<Asset is classified as “Low”, if unauthorized access or misuse causes
Low negligible or minor effects to the organization>

B- Data Classification Levels

Classification
Description
Level

<Data is classified as “Top Secret”, if unauthorized access or misuse

Top Secret cause severe and exceptionally effects to the organization in a way
that is difficult to resolve>
<Data is classified as “Secret”, if unauthorized access or misuse
Secret causes significant or moderate effects to the organization>
<Data is classified as “Restricted”, if unauthorized access or misuse
Restricted causes minor or limited effects to the organization>
<Data is classified as “Public”, if unauthorized access or misuse does
Public not cause any effect to the organization>

Choose Classification

VERSION <1.0>

11