Asset Identification for Contact Centers
Assign topic to the user
The key question here is who is in charge of this Client's database - are you controlling the database (i.e. setting the rules, administering it, etc.), or is the client controlling it and you simply have the access to it?
If you are controlling the database, then it should be included in your ISMS scope, and you should perform the risk assessment (and treatment).
See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
No, we only have access to the application of our Client's Database. Considering this, should apply any further controls on our side for this access?
In such case, you do not treat the customer database as your asset and you do not perform the risk assessment - it is their asset. Since the database is out of your ISMS scope, this means you will apply only the controls which your customer asks you to apply.
Now, for our Risk assessment should consider the existing controls we have already implemented or should be start from scratch considering no controls exist?
Comment as guest or Sign in
Jan 12, 2016