In your risk assessment templates, you have used the term Asset Owner. It occurred to me that this might not be the same person as the person to which the asset is assigned.
For example, a Chief of Operations role might be specified as the Asset Owner of all laptops but individual staff members may be indicated as Custodian for each laptop.
Is there a definition of Asset Owner in the context of ISO27001?
Is the term Custodian ever used in this context for ISO27001 or does the term always need to be Asset Owner?
Answer:
There is no specific definition for the asset owner in ISO 27001:2013, although in the ISO 27002:2013 (control 8.1.2 Ownership of assets), you can read that the asset owner can be either an individual or an entity who should be responsible for the proper management of an asset over the whole asset lifecycle, so if the asset is assigned to a person and this person is responsible of the management of the asset, this person should be the asset owner.
The same point of ISO 27002:2013 also defines that t he routine tasks may be delegated to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner, so custodian is used but not in ISO 27001:2013, is used in ISO 27002:2013.
So the Chief of Operations could be the asset owner if he is responsible of the management of the asset, and generally individual staff members can be custodians.
It is also important to know the term risk owner (new term introduced in the new ISO 27001:2013), which in accordance with ISO 27000:2014 is a person or entity with the accountability and authority to manage a risk"). If you want to know more information about asset owners and risk owners, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Jan 13, 2016