SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Assets grouping and mapping of controls

  Quote
Guest
Guest user Created:   Nov 11, 2016 Last commented:   Nov 11, 2016

Assets grouping and mapping of controls

1 - In a group of offices which have the same set of asset classes (e.g., information and equipment), and use the same information systems, could we roll these up into 1 asset line for the purposes of the threat/vuln assessment and then assess the common risks and common threats as they will be the same?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 11, 2016

Answer: ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are under a similar environment (in the case of your set of assets, the similar environment are the offices). Another example of this approach you can think about is assessing risks for servers and network equipment on multiple data centers. The only point you have to pay attention is when recording this set of assets in you inventory. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, s o in an event the set changes you can identify the need for a risk assessment review.

2 - Secondly given these common risks, vulns and likely existing controls is it the expectation that we map all ISO controls into the risk assessment process or that some will not be mapped but still implemented?

Answer: During your risk assessment you might not identify some controls as necessary, but they were implemented even though there are no related risks, because other reasons like: requirements of interested parties; they are related to other management systems (e.g., ISO 14001); or simply because they are considered of good practice. In these situations, those controls are not going to be displayed in Risk treatment process, but they will be displayed in the SoA, refering to those reasons.

This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 11, 2016

Nov 11, 2016