SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Asset register

Guest

Asset register

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Feb 22, 2018 Last commented:   Feb 22, 2018

Asset register

ISO 27001 & 22301
I am currently developing the information asset register under ISO 27001:2013. The question of asset definition can be challenging. We have an internally developed application (let’s call it “XXXXX”) that spans multiple databases for different customers. The development is done in XXX on XXX.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Feb 22, 2018

The application has many components which I assume we would classify as underlying assets. In your Excel worksheet, you have Category of asset, Tool for delivery of service, Underlying assets, Category of underlying asset, Asset name, Asset owner, Risk owner etc.

If I was to classify the application in the worksheet, would I do the following:
Category of asset:  Applications and databases
Tool for delivery of service: XXXX
Included features within tool: Here I would list the various modules of the application, e.g. Online access, User Interface, Reports etc
Infrastructure /Server(s) name: Here I would list the names of servers that are used to host the application
Underlying assets:  If the application consists of server databases sitting on XX X servers, plus XXX servers would these be classed as underlying assets.
Category of underlying asset: For category of underlying asset, I assume that I would class the XXX Servers as Operating Systems and the XXXX Servers as Database Applications. In the same way, I would classify XXXX as an Operating System and XXXX as a development tool.
Asset Owner and Risk Owner: I assume that I allocate risk owners here based on the technology involved. The Asset Owner in all cases may be the Operations Manager but the risk owners may be the Server Team and the DBA respectively.

So, in summary, if I classify “XXXX” as the tool for delivery of the service and allocate the many underlying components as underlying assets, is this the best approach.

Answer: An approach with this level of detail is not common for small companies in general, but it is not wrong (big companies may see it as adequate). The main question you should consider here is if this level of detail is really necessary for you to manage the risks efficiently.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 22, 2018

Feb 22, 2018

Suggested Topics
Guest user Created:   Oct 20, 2020 ISO 27001 & 22301
Replies: 1
0 0

Information Asset Register
Guest user Created:   May 08, 2020 ISO 27001 & 22301
Replies: 1
0 0

Asset register
Guest user Created:   Jan 15, 2020 ISO 27001 & 22301
Replies: 1
0 0

Asset Register - minimum value of an item to record