Guest user Created: Mar 09, 2016 Last commented: Mar 09, 2016

Asset identification in risk assessment

I need to certify the company X. This company does not have its own IT equipment. It gets them provided by the sister company Y. In the sister company are also all business processes of X running. How to identify values for a risk assessment?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Mar 09, 2016

Answer:

This is a question of your ISMS scope - obviously the hardware on which the software and applications are running will be outside of your ISMS scope since they are operated by company Y that is not included in your ISMS scope.

However, if you control the data and the applications, then they should be included in your scope even though they are hosted on a hardware that is outside of the scope.

So when you perform the risk assessment, then you should do the following:
1) For your data and for applications - you treat them as assets, and look for threats and vulnerabilities, and then assess impact and likelihood. This article will help you: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2) For the hardware outside of your scope, you do not treat it as asset, but as a service provided by third party - you need to assess the threats and vulnerabilities related to this service. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 09, 2016

Expert Advice Community