Asset register

If we would come to the asset „server“ on the asset inventory list - we've got over 6.000 of them. How should we list them?

Answer:

ISO 27001 does not prescribe any level of granularity, so you can adopt the levels you understand that will better fulfill your needs. Considering your examples, you should consider to split assets in details when t hey require different levels of protection and different number of applicable controls.

For example, managers will have access to a higher level of access to information than general employees, so you should consider them as a separate category of asset, to avoid implementing controls related only to them to all employees.

For the case of workstations, you can use categories related to their purpose. For example general workstation and development workstation, including as detailed information of the quantity of each type.

It is important to note that you can reference to other system(s) which contains more detailed information about each asset, so you do not need to replicate information unnecessarily.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/