1. Assets & orientation
Inventory of assets is fundamental for cybersecurity, as uncharted assets have little chance of being properly maintained, and can constitute weak points for the information system.
For most assets, it is possible to to automate inventory, using builtin or installed agents.
For enterprise mobile terminals, there exist numerous Mobile Device Management solutions.
Inventory shall allow to retrieve versions of every piece of software, as this will be basis for vulnerability management.
Network assets shall also be comprised in the inventory. Indeed, an old Wi-Fi router can be the simplest way to penetrate a company networks.
Other assets to include are printers, scanners, CCTV, and potentially a bunch of IoT devices.
Orientation is based on organization vision, policy and risk management.
Considered risks in ASF are related to information system, and more specificaly to software development.
Once risk assessment is performed (see dedicated section), use it to define your priorities.