a.- Do we have to list assets that contains information only?
b.- I understand ISMS is about Information Security, but in our asset list we have listed equipment such as UPS, Generator, Cooling system etc. Is that OK?
c.- And since we have listed these items in our asset register, its also included in our risk register
d.- Our risk methodology is asset based ( from version 2005 ) . Now in 2013, we know that theres a flexibility, but we are still keeping it asset based. However can we include other risks that is not derived from Assets threats/vulnerabilities?
Answer:
a.- No, if you have chosen to follow the asset-based risk assessment then you have to list both the assets that contain the information (e.g. CD-s, computers, etc.) and the assets that do not contain the information but can influence the security of information (e.g. air conditioning in the server room).
b.- Yes, you can identify these assets, because they are related to the maintenance of the information systems (U PS, generator, etc), which are related to the information security.
c.- Ok, right whichever list is created first, it will serve for developing the other list.
d.- In principle, if the risk is related to the information security, yes, you can include it in your risk assessment. Also you can maintain your Risk methodology asset based. Anyway, I recommend you this article What has changed in risk assessment in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Finally, if you need more information about how to identify assets, I recommend you this article How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Jan 12, 2016