Asset Inventory
In your doc framework, there are two places where asset inventory is being used:
- In the Risk analysis – the main attributes of the pure asset here are name(and category) and the owner
- In A.8.1 – the attributes here are again name/category and owner, plus the result of the (last ?) risk analysis?
I am wondering, where the classifications infos for the assets are taken into account? In some other examples for the inventory I found in the web, the CIA classification values are also stored, as well as numerous additional infos like
- process and org unit the asset belongs to
- process owner
- some flags for personal or customer sensitive data
- CIA values
- asset custodian (seems to be similar to the owner)
- data retention period
- users, location, etc, etc
and in some examples, the records are different depending on the type of asset.
Since we are SW developers in our DNA ;-) we are planning to build a little DB tool for the inventory and RA.
The inventory structure you suggest with your framework, is it meant as the absolute minimum you require to survive an audit?
So having more attributes will eventually make the assessment survey taking longer, but should not be a problem, right?
Would appreciate some answers very much!
Assign topic to the user
ISO 27001 does not define the structure of Asset inventory - controls A.8.1.1 and A.8.1.2 require you to list only name of the asset, and the asset owner.
So if you have an Asset inventory with those two columns it will be enough for the certification. Each company needs to assess whether some additional information is needed or not - in any case, you should not add information that is not necessary because it will create an overkill for you.
This article will also help you: 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
Comment as guest or Sign in
Jan 27, 2020