Information asset in ISO 27001:2013
Assign topic to the user
Yes, with the ISO 27001:2013 you can continue doing the risk assessment based on hardware, software, documents, infrastructure and people.
If you choose to continue using the asset-based risk assessment, then you cannot exclude hardware, infrastructure and people from the risk assessment because those are very important assets.
My recommendation: maintain these types of assets, but please keep in mind that the important here is the identification of threats/vulnerabilities that can affect to the organization (and the risk), and you can define the types that you need in your business. In the ISO 27005 you can see an example of type of assets.
This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Comment as guest or Sign in
Jan 12, 2016