Asset inventory
A question arose about the item “asset inventory”: in control A.8.1.1, should the table contain all assets individually or by group as in the risk analysis table?
Example: In the risk analysis, we identified a group of professionals as “specialist employees” and did the risk analysis on this asset, then in the asset inventory table do we need to define each of these people? Another example: we also defined in the risk analysis worksheet “employees' computers” as an asset, in the inventory table do we need to specify one by one?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Control A.8.1.1 does not prescribe how to define assets, so for assets that share the same threats and vulnerabilities, they can be defined with a single asset, as in your example “expert employees”, it is not necessary to define them individually. The same goes for the “employee computers” example.
For more information on asset inventory, see:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Sep 16, 2022