SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

27001 question

  Quote
Guest
Guest user Created:   Feb 21, 2022 Last commented:   Feb 21, 2022

27001 question

I work for a 27 employees software company with remote workers. I’m having a few difficulties defining the asset register and would appreciate your view. We are using the Asset type of “Internally developed software” to encompass all software products we build for sale. However, we have several software products. Some are sold to customers for on-premise installation and use, whilst others are SAAS products residing in the Azure cloud (within our control). Additionally, we could partition our software into further categories or even individual products where they have different risks/vulnerabilities. 1 - My question is, how granular should we get? 2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 21, 2022

1 - My question is, how granular should we get? 

ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.

This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to developed systems and other assets. 

For further information, see this article:

These materials will also help you regarding:

2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another?

Please note that the auditor does not assess risks, he only checks if risks are being assessed properly.

Considering that, in case the auditor identifies this situation where one product uses more 3rd party service than another, he may want to check if the risks related to this product are assessed properly.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 21, 2022

Feb 21, 2022

Suggested Topics

Guest user Created:   Apr 06, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001 question

Guest user Created:   Mar 31, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001 question