Expert Advice Community

Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets

  Quote
KevinC Created:   Mar 17, 2020 Last commented:   Mar 19, 2020

Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets

I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?

I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:

Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset.

 

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 19, 2020

 I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?

ISO 27001 does not prescribe how to built an Inventory of Assets, and normally a single inventory is sufficient when control A.8.1 is considered applicable, so if you do not have any other requirement (e.g., a law, regulation, or contract) demanding a separated inventory, you can keep a single inventory.

For further information, see:

I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:

Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset.

Unfortunately, I am not sure I understood your question entirely. Could you please clarify?

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 17, 2020

Mar 19, 2020