Asset inventory question
Assign topic to the user
Answer: For risk assessment it is enough to have a generic asset class "employee laptops", and list threats and vulnerabilities for this single asset. If you already have a comprehensive list of laptops, this is something you can do, but this is not mandatory according to ISO 27001.
Now regarding processes, do I have to include a process like "transferring data from Server A to Server B" - Such a process is very important for the organisation.
Answer: If you use asset-based risk assessment, then listing processes is not needed - basically all this data that you are transferring is already covered in the r isk assessment as assets, so you don't need to duplicate them. The focus of information security is protecting the information, not protecting the processes.
These materials will also help you with risk assessment:
- article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Comment as guest or Sign in
Nov 10, 2016