SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Assets for risk assessment

Guest

Assets for risk assessment

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Aug 13, 2019 Last commented:   Aug 13, 2019

Assets for risk assessment

ISO 27001 & 22301
Could you give me a sample of assessment table for middle range organization?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Aug 13, 2019

I thought the starting of implementation ISO 27001 is to make risk assessment table. Even though I received the template, but not easy to fill out it. First, when I want to list up all information assets, I don’t know How to categorize assets. Macro level will be People, IT, Physical administrate. In template, People, Applications and databases, Documentation (in paper or electronic form) etc. but for example, in paper documents. There are too many documents, then do I have to list up one by one all documents? I am very difficult to categorize those. More over in IT area, how can I divide for each software, in hardware and application programs etc?

Answer:

ISO 27001 does not prescribe how to categorize assets, so you can adopt categories you believe that will better fulfill your needs. You can use the asset catalogue sheet included in your Risk Assessment Table template as a starting point (this catalogue will help you categorize individual assets.).

Some g eneral rules you can consider are:
- split assets in different categories when they require different levels of protection and different number of applicable controls
- use a category to refer to assets that can have the same level of protection and applied controls

For example, regarding documents, you do not need to list them one by one. You can have a single asset called "paper documents", or if it is necessary you can create specific assets like "contracts in paper form", or "blueprints in paper form", if you need to apply different controls on them.

The same idea applies to other assets. For example, for workstations, you can use categories related to their purpose. For example general workstation and development workstation, including detailed information of the quantity of each type.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 13, 2019

Aug 13, 2019

Suggested Topics
Guest user Created:   Mar 18, 2016 ISO 27001 & 22301
Replies: 1
0 0

People "asset" for risk assessment
Guest user Created:   Dec 09, 2021 ISO 27001 & 22301
Replies: 1
0 0

Grouping of Assets in Risk Assessment Table
Guest user Created:   Nov 26, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment : Which assets to take into account