Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

Asset owner and custodians

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Asset owner and custodians

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 13, 2016

In your risk assessment templates, you have used the term “Asset Owner”.  It occurred to me that this might not be the same person as the person to which the asset is assigned.  
For example, a Chief of Operations role might be specified as the “Asset Owner” of all laptops but individual staff members may be indicated as “Custodian” for each laptop.
Is there a definition of “Asset Owner” in the context of ISO27001?
Is the term “Custodian” ever used in this context for ISO27001 or does the term always need to be “Asset Owner”?
 

Answer:

There is no specific definition for the “asset owner” in ISO 27001:2013, although in the ISO 27002:2013 (control 8.1.2 Ownership of assets), you can read that the asset owner can be either an individual or an entity who should be responsible for the proper management of an asset over the whole asset lifecycle, so if the asset is assigned to a person and this person is responsible of the management of the asset, this person should be the asset owner. 
The same point of ISO 27002:2013 also defines that t he routine tasks may be delegated to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner, so “custodian” is used but not in ISO 27001:2013, is used in ISO 27002:2013.
So the Chief of Operations could be the asset owner if he is responsible of the management of the asset, and generally individual staff members can be custodians. 
It is also important to know the term “risk owner” (new term introduced in the new ISO 27001:2013), which in accordance with ISO 27000:2014 is a “person or entity with the accountability and authority to manage a risk"). If you want to know more information about asset owners and risk owners, please read this article “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016