Identification of an organization’s assets, such as its personnel, structures, equipment, systems, and information assets, is the first step in the development, documentation, and application of policies and procedures for their protection. To identify threats, classify assets, and rate system vulnerabilities to implement effective controls, an organization uses security management procedures like asset and information classification, threat assessment, risk assessment, and risk analysis.