Assets Inventory and Risk Assessment

1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

ISO 27001 certified suppliers will make the management of your risks related to them easier because your organization and these suppliers will have a common base to manage information security risks (e.g., they will have an SoA that can make easier to you to evaluate how they treat risks relevant to your organization).

For further information, see:

• Why is it important for your hosting partner to be certified against ISO 27001? https://advisera.com/27001academy/blog/2019/07/02/iso-27001-for-hosting-companies-what-are-the-main-benefits/

2. Do we still have to consider Risks for that cloud services as well?

If these cloud services store or process information that is part of your ISMS scope, then the risks related to them need to be considered (e.g., a disaster can hit their sites, or a cyberattack, that can compromise your information that is with them). In this situation, any related treatment will be a part of contracts or terms of service you have with these suppliers.

These articles will provide you a further explanation about ISMS scope considering cloud services and management of suppliers:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

The short answer is yes.

ISO 27001 does not prescribe how to build the asset register, so you can define it as better fits your organization.

In your case, you can group assets, or uses them individually, the way you understand will better fulfill your needs. For example, if you have several laptops with the same level of risks you do not need to list them individually, you can have a single asset called "laptop". In case you have laptops with a different risk level, such as laptops from a development and maintenance department, you can create an asset called "development laptops".

In short, you should consider splitting assets in details when they require different levels of protection.

This article will provide you a further explanation about assets register:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

First is important to note that ISO 27001 does not prescribe who the asset owner must be, so organizations are free to define the asset owners as best fit them.

Considering that, as a good practice, you should consider as the asset owner the first management level with responsibility for protecting and managing the asset, because this will make the decisions about the asset faster and more effective.

For example, if the asset is a server, the owner should be the server's administrator. In the case of laptops, you should consider the asset owner the laptop user.