Asset Identification
Assign topic to the user
William,
ISO 27005 is not a mandatory standard, it is only a guideline that you may or may not choose to follow; the only relevant requirements for risk assessment are those written in ISO 27001.
ISO 27001 does not require classification in primary and secondary assets, and in our view such classification may be misleading - this is why we did not recommend such approach in our templates. For instance, I do not think that your core software is more important as an asset than your system administrator - they are both very valuable for the company, and they both carry very high risks.
To answer your question, I think that you should identify threats and vulnerabilities for all of your assets, no matter how you classify them. However, ISO 27001 does allow you the flexibility to define your own methodology, which means that in theory, you could use some simplified risk identification method for "secondary" assets.
Comment as guest or Sign in
Jan 12, 2016