Expert Advice Community

Home / ISO 27001 & 22301 / Problems with inventory of assets

Guest

Problems with inventory of assets

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Sep 10, 2018 Last commented:   Sep 10, 2018

Problems with inventory of assets

ISO 27001 & 22301
During an ISO27001 standard audit some shortcomings were observed on 8.1.1 on the inventory of assets schedule and the auditor realised that the root cause is that the auditee were drawing up and maintaining the standard from their head and not from any approved process. What clause/section on the standards requires that procedure be development for an effective maintenance of the standards control processes?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Dejan Kosutic Sep 10, 2018

Answer:

There are a couple of things that need to be cleared out here:
1) ISO 27001 does not require you to write a documented procedure related to control A.8.1.1
2) ISO 27001 clauses 7.5.1 and 8.1 allow you to choose which documents (i.e. policies, procedures and others) are important enough to write them down
3) Defining a process does not mean that you have to write a document. It simply means that you have to define who is responsible for what, when and how - this can be done verbally or in writing.
4) Since you did not manage your inventory of assets properly, you have two options: (a) to setup a process without writing a document, or (b) to setup a process by writing a procedure.

This article will also help you: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding asset inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0
Guest
chezz Sep 10, 2018

Please what is the substance or modalities in developing a process without documenting and approving such a process. If am assigned a responsibility to carry out a task I thought am supposed to document the procedure involved so that if I resign tomorrow someone else guided by the documented procedure can seamlessly continue the work.

Quote
0 0
Expert
Dejan Kosutic Sep 11, 2018

If you were to document each and every process, this would mean you would have hundreds of documents - so no, it is not mandatory to document every process.

Developing a process means you have to define exactly what are the inputs, what are the steps in performing certain activities, who is responsible, what is the timing, what are the outputs, etc.

If you do not want to document that process, this means you have to agree with all people involved exactly how this is done, in detail.

If you want to document that process, you simply have to write down everything you have defined.

This article can also help you: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 10, 2018

Sep 11, 2018

Suggested Topics
Guest user Created:   Nov 24, 2016 ISO 27001 & 22301
Replies: 1
0 0

Protecting assets with multiple security levels
Guest user Created:   May 08, 2021 ISO 27001 & 22301
Replies: 4
0 0

Questions about scope, requirements and controls
Guest user Created:   Oct 01, 2019 ISO 27001 & 22301
Replies: 1
0 0

Questions regarding 27001 implementation