Expert Advice Community

Guest

Asset Owner

  Quote
Guest
Guest user Created:   Jan 18, 2023 Last commented:   Jan 18, 2023

Asset Owner

Within the file 06.1_Appendix_1_Risk_Assessment_Table_27001_EN.xlsx, example given for laptops' Asset owner is "User".

Considering ISO 27002 recommendations, the laptop "User" seems not fitting the role of Asset Owner in accordance to ISO 27002:2022. May I know how to counter the auditor's response if he or she raise the concern?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 18, 2023

First is important to note that ISO 27002 is not mandatory to implement ISO 27001, it only provides guidance to support the implementation of controls from ISO 27001 Annex A.

Considering that, the main role of an asset owner is to ensure his asset is properly protected, and in some cases, he will not perform security activities by himself but needs to ensure these activities are performed.

In the case of the laptop, by "User" we mean the "Person who is using the laptop", and if an auditor questions your choice of this role as the asset owner, you need to show evidence to the auditor about who performs the security activities he asks for and how the laptop user ensures it is performed.

For example, to ensure information availability, the person using the laptop may require backup copies to be created, and needs to ensure backups are being performed and to do that this person may require testing the backup media by asking for the restoration of specific files.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 18, 2023

Jan 18, 2023

Suggested Topics