SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Assets grouping and mapping of controls

Guest

Assets grouping and mapping of controls

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Nov 11, 2016 Last commented:   Nov 11, 2016

Assets grouping and mapping of controls

ISO 27001 & 22301
1 - In a group of offices which have the same set of asset classes (e.g., information and equipment), and use the same information systems, could we roll these up into 1 asset line for the purposes of the threat/vuln assessment and then assess the common risks and common threats as they will be the same?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Nov 11, 2016

Answer: ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are under a similar environment (in the case of your set of assets, the similar environment are the offices). Another example of this approach you can think about is assessing risks for servers and network equipment on multiple data centers. The only point you have to pay attention is when recording this set of assets in you inventory. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, s o in an event the set changes you can identify the need for a risk assessment review.

2 - Secondly given these common risks, vulns and likely existing controls is it the expectation that we map all ISO controls into the risk assessment process or that some will not be mapped but still implemented?

Answer: During your risk assessment you might not identify some controls as necessary, but they were implemented even though there are no related risks, because other reasons like: requirements of interested parties; they are related to other management systems (e.g., ISO 14001); or simply because they are considered of good practice. In these situations, those controls are not going to be displayed in Risk treatment process, but they will be displayed in the SoA, refering to those reasons.

This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 11, 2016

Nov 11, 2016

Suggested Topics
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Question on risk register and selection of the assets
Guest user Created:   Aug 29, 2023 ISO 27001 & 22301
Replies: 1
0 0

Controls in the SoA that so not show up in the Risk Assessment
Guest user Created:   Aug 10, 2023 ISO 27001 & 22301
Replies: 1
0 0

What asset to list when Risks relate to general or high-level assets?