Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Asset management

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Asset management

 Concerning my query on Asset Management
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

a.- Do we have to list assets that contains information only?

b.- I understand ISMS is about Information Security, but in our asset list we have listed equipment such as UPS, Generator, Cooling system etc.  Is that OK?

c.- And since we have listed these items in our asset register, it’s also included in our risk register

d.- Our risk methodology is asset based ( from version 2005 ) . Now in 2013, we know that there’s a flexibility, but we are still keeping it asset based. However can we include other risks that is not derived from Assets – threats/vulnerabilities?

 

Answer:

a.- No, if you have chosen to follow the asset-based risk assessment then you have to list both the assets that contain the information (e.g. CD-s, computers, etc.) and the assets that do not contain the information but can influence the security of information (e.g. air conditioning in the server room). 
 
b.- Yes, you can identify these assets, because they are related to the maintenance of the information systems (U PS, generator, etc), which are related to the information security. 

c.-  Ok, right whichever list is created first, it will serve for developing the other list. 

d.- In principle, if the risk is related to the information security, yes, you can include it in your risk assessment. Also you can maintain your Risk methodology asset based. Anyway, I recommend you this article “What has changed in risk assessment  in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

Finally, if you need more information about how to identify assets, I recommend you this article “How to handle Asset register (Asset inventory) according to ISO 27001” https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics