Asset and Risk Owners - can it be a role and also a name of an employee
In the asset and risk registers, can the asset owner and risk owner be both a role (like IT Manager) and also the name of a specific employee? Or does it have to be one of those and cannot be the other?
Assign topic to the user
ISO 27001 FOUNDATIONS COURSE
Everything you need to know about ISO 27001.
Enroll for free 
ISO 27001 FOUNDATIONS COURSE
Everything you need to know about ISO 27001.
Enroll for free
ISO 27001 FOUNDATIONS COURSE
Everything you need to know about ISO 27001.
Enroll for free
ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.
We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort.
For more information, check out how to handle an asset register/asset inventory.
Read this article to find out the difference between risk owners and asset owners.
Comment as guest or Sign in
Sep 20, 2023