Asset and Risk Owners - can it be a role and also a name of an employee
In the asset and risk registers, can the asset owner and risk owner be both a role (like IT Manager) and also the name of a specific employee? Or does it have to be one of those and cannot be the other?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.
We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort.
For more information, check out how to handle an asset register/asset inventory.
Read this article to find out the difference between risk owners and asset owners.
Comment as guest or Sign in
Sep 20, 2023