Asset identification in risk assessment
Assign topic to the user
Answer:
This is a question of your ISMS scope - obviously the hardware on which the software and applications are running will be outside of your ISMS scope since they are operated by company Y that is not included in your ISMS scope.
However, if you control the data and the applications, then they should be included in your scope even though they are hosted on a hardware that is outside of the scope.
So when you perform the risk assessment, then you should do the following:
1) For your data and for applications - you treat them as assets, and look for threats and vulnerabilities, and then assess impact and likelihood. This article will help you: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2) For the hardware outside of your scope, you do not treat it as asset, but as a service provided by third party - you need to assess the threats and vulnerabilities related to this service. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Mar 09, 2016