27001 question
Assign topic to the user
1 - My question is, how granular should we get?
ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.
This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to developed systems and other assets.
For further information, see this article:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another?
Please note that the auditor does not assess risks, he only checks if risks are being assessed properly.
Considering that, in case the auditor identifies this situation where one product uses more 3rd party service than another, he may want to check if the risks related to this product are assessed properly.
Comment as guest or Sign in
Feb 21, 2022