Question about how to identify ISO 27001 ISMS Assets
Assign topic to the user
Your understanding that an asset needs to have a security element for it to be considered in the ISMS scope is correct.
To ISO 27001 an asset is anything of value to the organization in terms of confidentiality, integrity, and availability of information.
Considering that, if the asset is related to information that your ISMS needs to protect, then it needs to be considered. In your examples, users' passwords need to be protected, making the work instruction procedure to change users' password part of the scope, while marketing brochure, that does not need to be protected, would not be considered.
In the Risk Assessment Sheet included in the toolkit there is a list of assets you can use.
Comment as guest or Sign in
Mar 11, 2022