Asset Type in the Information Asset Inventory
In your book you state ".. processes are not part of the asset inventory ..".
And I cannot find processes in the predefined categories of the table in 05.1 of your doc framework.
What is the reason for this? Are processes handled somehow separately? Or is it because we just should take into account the assets the processes consist of?
Assign topic to the user
The reason for not including the processes in the risk assessment methodology and templates is that we have based our risk assessment on the so-called "asset-based approach". This approach is the mainstream in the information security world because it provides the best balance between the precision of results and the amount of effort.
It is not recommended to mix assets with processes because this will only confuse things - the most optimal way is to go with asset-based approach.
Therefore, you should only use the assets that your processes consist of.
Comment as guest or Sign in
Jan 24, 2020