Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Asset Inventory

  Quote
Guest
Guest user Created:   Jan 27, 2020 Last commented:   Jan 27, 2020

Asset Inventory

In your doc framework, there are two places where asset inventory is being used:

  1. In the Risk analysis – the main attributes of the pure asset here are name(and category) and the owner
  2. In A.8.1 – the attributes here are again name/category and owner, plus the result of the (last ?) risk analysis? 

I am wondering, where the classifications infos for the assets are taken into account? In some other examples for the inventory I found in the web, the CIA classification values are also stored, as well as numerous additional infos like

  • process and org unit the asset belongs to
  • process owner
  • some flags for personal or customer sensitive data
  • CIA values
  • asset custodian (seems to be similar to the owner)
  • data retention period
  • users, location, etc, etc

and in some examples, the records are different depending on the type of asset.

Since we are SW developers in our DNA ;-) we are planning to build a little DB tool for the inventory and RA.

The inventory structure you suggest with your framework, is it meant as the absolute minimum you require to survive an audit?

So having more attributes will eventually make the assessment survey taking longer, but should not be a problem, right?

Would appreciate some answers very much!

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Jan 27, 2020

ISO 27001 does not define the structure of Asset inventory - controls A.8.1.1 and A.8.1.2 require you to list only name of the asset, and the asset owner. 

So if you have an Asset inventory with those two columns it will be enough for the certification. Each company needs to assess whether some additional information is needed or not - in any case, you should not add information that is not necessary because it will create an overkill for you. 

This article will also help you: 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 27, 2020

Jan 27, 2020

Suggested Topics

Guest user Created:   Sep 16, 2022 ISO 27001 & 22301
Replies: 1
0 0

Asset inventory

Guest user Created:   Jul 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Asset inventory