Assets grouping and mapping of controls
Assign topic to the user
Answer: ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are under a similar environment (in the case of your set of assets, the similar environment are the offices). Another example of this approach you can think about is assessing risks for servers and network equipment on multiple data centers. The only point you have to pay attention is when recording this set of assets in you inventory. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, s o in an event the set changes you can identify the need for a risk assessment review.
2 - Secondly given these common risks, vulns and likely existing controls is it the expectation that we map all ISO controls into the risk assessment process or that some will not be mapped but still implemented?
Answer: During your risk assessment you might not identify some controls as necessary, but they were implemented even though there are no related risks, because other reasons like: requirements of interested parties; they are related to other management systems (e.g., ISO 14001); or simply because they are considered of good practice. In these situations, those controls are not going to be displayed in Risk treatment process, but they will be displayed in the SoA, refering to those reasons.
This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Nov 11, 2016