I thought the starting of implementation ISO 27001 is to make risk assessment table. Even though I received the template, but not easy to fill out it. First, when I want to list up all information assets, I don’t know How to categorize assets. Macro level will be People, IT, Physical administrate. In template, People, Applications and databases, Documentation (in paper or electronic form) etc. but for example, in paper documents. There are too many documents, then do I have to list up one by one all documents? I am very difficult to categorize those. More over in IT area, how can I divide for each software, in hardware and application programs etc?
ISO 27001 does not prescribe how to categorize assets, so you can adopt categories you believe that will better fulfill your needs. You can use the asset catalogue sheet included in your Risk Assessment Table template as a starting point (this catalogue will help you categorize individual assets.).
Some g eneral rules you can consider are:
- split assets in different categories when they require different levels of protection and different number of applicable controls
- use a category to refer to assets that can have the same level of protection and applied controls
For example, regarding documents, you do not need to list them one by one. You can have a single asset called "paper documents", or if it is necessary you can create specific assets like "contracts in paper form", or "blueprints in paper form", if you need to apply different controls on them.
The same idea applies to other assets. For example, for workstations, you can use categories related to their purpose. For example general workstation and development workstation, including detailed information of the quantity of each type.