Within the file 06.1_Appendix_1_Risk_Assessment_Table_27001_EN.xlsx, example given for laptops' Asset owner is "User".
Considering ISO 27002 recommendations, the laptop "User" seems not fitting the role of Asset Owner in accordance to ISO 27002:2022. May I know how to counter the auditor's response if he or she raise the concern?
Assign topic to the user
First is important to note that ISO 27002 is not mandatory to implement ISO 27001, it only provides guidance to support the implementation of controls from ISO 27001 Annex A.
Considering that, the main role of an asset owner is to ensure his asset is properly protected, and in some cases, he will not perform security activities by himself but needs to ensure these activities are performed.
In the case of the laptop, by "User" we mean the "Person who is using the laptop", and if an auditor questions your choice of this role as the asset owner, you need to show evidence to the auditor about who performs the security activities he asks for and how the laptop user ensures it is performed.
For example, to ensure information availability, the person using the laptop may require backup copies to be created, and needs to ensure backups are being performed and to do that this person may require testing the backup media by asking for the restoration of specific files.
For further information, see:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Jan 18, 2023