In your doc framework, there are two places where asset inventory is being used:
- In the Risk analysis – the main attributes of the pure asset here are name(and category) and the owner
- In A.8.1 – the attributes here are again name/category and owner, plus the result of the (last ?) risk analysis?
I am wondering, where the classifications infos for the assets are taken into account? In some other examples for the inventory I found in the web, the CIA classification values are also stored, as well as numerous additional infos like
- process and org unit the asset belongs to
- process owner
- some flags for personal or customer sensitive data
- CIA values
- asset custodian (seems to be similar to the owner)
- data retention period
- users, location, etc, etc
and in some examples, the records are different depending on the type of asset.
Since we are SW developers in our DNA ;-) we are planning to build a little DB tool for the inventory and RA.
The inventory structure you suggest with your framework, is it meant as the absolute minimum you require to survive an audit?
So having more attributes will eventually make the assessment survey taking longer, but should not be a problem, right?
Would appreciate some answers very much!