Guest user Created: Jun 22, 2016 Last commented: Jun 22, 2016

How to account for mobile devices that are not company owned

I had a few questions about the asset register and risk assessment documents: How would you generally account for mobile devices that are not company owned but that contain (or could contain) company information assets? I consider the devices to be in scope because we will ultimately have a BYOD policy and some sort of mobile device management system to manage their use, but I’m not sure how I should account for them here. Would I classify them differently on the risk assessment vs. the asset register?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 22, 2016

Answer: BYOD physical devices are typically excluded from the ISMS scope because you cannot control them completely, but you should include in the ISMS scope the company data on those devices - in that case, you simply list those data in your asset list and in your risk assessment.

This article might help you: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

We have interfaces setup with our clients. W ould we consider those interfaces to be a separate asset, or would we only account for the data when it is stored in a database?

Answer: I'm not sure what do you mean by interfaces - if you refer to some devices or software, then you should include those assets in your asset list. In some cases you will view data separately from the devices - e.g. you will list a database separately from a physical server, in other cases you can view server as a both physical server and data on this server - you are free to do it any way you feel more appropriate.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 22, 2016

Expert Advice Community