| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 13.1 - Controlling Access to Assets
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens Domain 5 with how you control access to the things an organization values. It explains why access control is the daily work of protecting a business, and how naming what you are protecting lets you choose the correct control and turn a policy into real protection.
What this episode covers
- What counts as an asset — anything of value, tangible or intangible, that the organization needs to defend.
- The six technology asset types — information, systems, devices, facilities, applications, and services.
- Information and systems — all data wherever it lives, and sets of components that deliver a service.
- Devices and facilities — physical computing equipment, and the rooms, buildings, or campuses you own or rent.
- Applications and services — the doorway to your data, and offered capabilities like printing or support.
- Physical and logical controls — controls you can touch versus authentication, authorization, and permissions.
- The core triad — every control defends against loss of confidentiality, integrity, or availability.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What actually counts as an asset?
An asset is anything of value the organization needs to defend. Some assets are tangible, meaning you can physically touch them, like a server or a badge reader. Others are intangible, like a customer database or a patented design. People are assets too, though this lesson focuses on the technology side. Think of it like a warehouse, where some things on the shelves are physical goods and some are the blueprints that make those goods valuable.
What are the six technology asset types you must protect?
The certification groups them into a clean set: information, systems, devices, facilities, applications, and services. Information is all data wherever it lives, a system is a set of components delivering a service, and devices are the physical computing equipment across the environment. Facilities are the physical places you own or rent, applications are the doorway to your data, and services are offered capabilities like printing or support. Picture all six and no environment is left uncovered.
How do physical controls protect assets?
Physical controls are the ones you can touch, like fences, gates, turnstiles, and even heating and fire suppression that guard the environment. They shield systems, devices, and facilities directly. A locked server room with a cipher lock is a perfect example: it protects the hardware, and by extension the data and applications that hardware holds. These controls stop the wrong people from ever reaching the equipment in the first place.
How do logical controls protect assets?
Logical controls are the technical protections around information, systems, devices, and applications. They include authentication, authorization, and the permissions that follow, so only someone who can authenticate reaches the data, and permissions decide exactly what they touch. These same controls restrict who can change configuration settings on a router or a server, and they work the same way whether the resource sits on-site or in the cloud.
How does access control tie back to the core triad?
Access control exists mainly to prevent loss, and there are three losses to prevent. Confidentiality means only authorized subjects reach objects, so an unauthorized read is a loss of confidentiality. Integrity means data and settings are not changed without approval, so an unauthorized edit is a loss of integrity. Availability means authorized requests are served in reasonable time, so an outage that blocks legitimate users is a loss of availability. Every control defends one of these three.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 13.1 - Controlling Access to Assets.