Information goods

Information goods are intangible assets where the value lies in the information content rather than the physical medium. This includes software, algorithms,-based models, and datasets. According to the WTO TRIPS Agreement and the Taiwan Trade Secret Act, these assets require specific legal protections due to their non-excludable and non-rivalrous nature. In a risk management context, information goods must be managed under the ISO 27701 framework, which extends the ISO 27701 standard to include privacy-specific controls. This ensures that the information-based value-add of the company is protected against unauthorized access,-use, and disclosure, aligning with the GDPR principle of integrity and confidentiality. Unlike physical goods, the risk-adjusted value of information goods depends heavily on the control over their dissemination and the ability to prove their economic value in legal proceedings.

Implementation typically follows three steps: Asset-centric Identification, Risk-adjusted Valuation, and Control-based Mitigation. First, companies must categorize information products according to ISO 27701's information-handling requirements, ensuring each asset type has appropriate access controls. Second, the risk-adjusted value of each information product is calculated using the ALE = ATE × ARL formula, where ATE is the Annual Threat-adjusted Exposure and ARL is the Annual Rate-of-occurrence-of-loss. For example, a Taiwanese fintech firm using a proprietary credit-scoring algorithm would be closely monitored under the Taiwan Financial Holding Company Risk Management Regulations. Third, technical controls like encryption (ISO 27001 Clause 6.10) and access-control-based DLP systems are deployed. A US-based SaaS company reported a 40% reduction in data-leakage-related incidents within 12 months of implementing these controls, demonstrating the tangible ROI of information-centric risk management.

Taiwan enterprises face three primary challenges: Regulatory Ambiguity, Vendor-Lock-in Risks, and Talent Scarcity. Regarding the first challenge, the Taiwan Trade Secret Act's requirement for 'reasonable efforts to maintain secrecy' is often subjective; companies must document every access-control-measure to meet the legal threshold. For the second challenge, many Taiwan companies rely on US or Chinese cloud providers for information-product development, creating jurisdictional risks under the Taiwan Cybersecurity Management Act. The solution is to implement a multi-cloud strategy with data-residency-aware controls. Third, the shortage of professionals capable of integrating ISO 27701 with local regulations like the Taiwan Personal Data Protection Act (PDPA) can be addressed by partnering with specialized consultants. A 90-day implementation roadmap typically includes: Month 1: Baseline Assessment; Month 2: Control Implementation; Month 3: Audit & Optimization.

Winners Consulting Services Co., Ltd. specializes in Information goods for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact