Question

During system/ asset classification, should we think about risk first or categorizing? What process should be followed to categorize the systems?

Answer 1

I would suggest to identify first the risk before categorizing since it allows you to create a comprehensive understanding that can be leveraged to influence stakeholders and create better project decisions.  Good risk identification creates good project communication and good communication creates good decisions. It is the foundation of good risk management and no fancy tool or spreadsheet will overcome poor risk identification.

In order to determine the system security category, the information owner/information

system owner collects relevant documentation specific to the information system such as the system description and architecture. In addition, the information owner/information system owner also collects any available guidance documentation issued by the organization. The information owner/information system owner establishes working relationships with others within the organization who are also impacted by the categorization decision such as the information security program office, the enterprise architecture group, information sharing partner .

Prior to categorizing an information system, the information owner/information system

owner collects available documentation on the information system. While the details of a new information system may not be known, sufficient information should be available to begin to identify the types of information that will be processed, stored, or transmitted by the system such as system description, concept of operations, typically documented in the initial system security plan.