We've received the following question:
"I also would like to ask you about the asset owner and risk owner concepts in 27001:2013. Do you know any cases when the asset owner and risk owner is not the same person? Would you elaborate a bit on this? And can I assign this ownership on a top level ? for example to deputy CEOs only? What is the risk?"
Answer:
According with the version 2013, you need to identify risk owners for each of your risks, but you still need to identify ownership for your assets as requested in A.8.1.2.
Asset ownership is more close to operational control and risk ownership is more in relation with business risk.
Answering your question, yes you can have different owners for assets and risks. With the new Risk Owner concept the responsibility is pushed to a higher level, which means that the Deputy CEO is a good candidate. But you should explain the concept and get the approval from top management on the best owner for each risk.
Please ha ve a look on the following:
https://blog.iso27001standard.com/2013/10/14/how-to-make-a**********************************************************
Hope it helps
Thanks
Assign topic to the user
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016